NTFS Owner Rights for Logging

I recently stumbled across the NTFS Owner Rights security principal. This is an obscure security principal that is used to restrict the rights that the owner of the file has. This can come in handy when hardening endpoints in corporate environments. Frequently, we encounter software that has to be run in the context of a user. However, we might not want the user to tamper with the logs generated by the software. So how do we prevent that?

One method is to use the NTFS Owner Rights security principal to restrict the user from modifying, renaming or deleting files in the log folder. Using administrative privilege, we will first need to disable all permissions inherited from parent folders. Then, we remove the Creator Owner and the User principal from the folder. Finally we add the Owner Rights principal to the folder and give it the following permissions.

image

If performed correctly, we should see the following output when running icacls on the folder. We can then copy files into the folder. These files will be immutable and we will not be able to rename or delete them. We will also not be able to grant ourselves permissions on these files. Perfect for logging integrity! If you are following along, take note that I copied the files. Moving the files will give a different result. That is because a file will retain its original permissions if it is moved to a destination on the same NTFS partition.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
C:\ProgramData\LoggerSoftware\logs>icacls C:\programdata\LoggerSoftware\logs
C:\programdata\LoggerSoftware\logs OWNER RIGHTS:(OI)(CI)(RX,WD)
                                   NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                   BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\ProgramData\LoggerSoftware\logs>copy C:\Users\limbenjamin\Desktop\output.log .
        1 file(s) copied.

C:\ProgramData\LoggerSoftware\logs>del output.log
C:\ProgramData\LoggerSoftware\logs\output.log
Access is denied.

C:\ProgramData\LoggerSoftware\logs>ren output.log output1.log
Access is denied.

C:\ProgramData\LoggerSoftware\logs>

Also, do make sure to protect the parent directory as well. We do not want the user moving the entire parent directory and creating a new one with default permissions in its place.

1
2
3
4
5
6
C:\ProgramData>move LoggerSoftware LoggerSoftwareOld
        1 dir(s) moved.

C:\ProgramData>mkdir LoggerSoftware

C:\ProgramData>