Changes to the default NTFS Discretionary Access Control List (DACL) settings in Windows Vista

In Windows Vista, the NTFS file system Discretionary Access Control Lists (DACLs) have been changed to enable data sharing and collaboration in data directories that are outside protected directories. A user's protected directory is the user's profile. For example, assume that the C:\Users\Denise\Pictures directory is a protected directory. A data directory is a directory that is created outside this protected directory structure. D:\Pictures is a directory that is outside the protected structure.

Assume that Denise Smith logs on to her Windows Vista-based computer and that she creates a new directory on her external hard disk (drive D). Denise names the directory FamilyPictures. Later, Denise’s son, Brian, logs on to the computer. Brian creates a new directory that is named SummerVacationPics in the FamilyPictures directory. Then, Brian saves several pictures in the SummerVacationPics directory. If the Windows XP DACL settings are applied to the SummerVacationPics directory, Denise cannot edit any of the pictures in the SummerVacationPics directory. This behavior occurs because the DACLs mark Brian as the only user who has Write permissions. However, DACL default behavior has been changed in Windows Vista. Therefore, in Windows Vista, Denise can perform photo editing tasks on the pictures in the SummerVacationPics directory.

These DACL changes let users share and edit files without specifying the credentials in the User Account Control dialog box. Additionally, users can manually make a directory private. This feature guarantees that users can easily maintain data confidentiality and data integrity on data drives. Private directories are readable by an administrator if the administrator has been granted elevated mode permissions. The "elevated mode" feature should be used to keep data private from standard users. The Windows Vista DACL settings are applied during installation, and they are migrated to any detected drive that meets one of the following criteria:

• The drive does not contain a Windows operating system.
• The drive is formatted by using the default Windows XP DACL settings.

Tool updates

The Convert.exe and Format.exe command-line tools have been changed in Windows Vista to include new options for the new DACL settings. However, these tools cannot convert existing Windows XP DACL settings to the Windows Vista DACL settings. To change an existing Windows XP DACL setting to a Windows Vista DACL setting, you must use the Cacls.exe command-line tool in Windows Vista. For example, the following command converts existing Windows XP DACL settings on the D:\ data drive to Windows Vista DACL settings:

Cacls D:\ /s:D:(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;SDGXGWGR;;;AU)(A;OICI;GXGR;;;BU)

DACL settings in Windows Vista

Use the following table of abbreviations to determine the results of access control entry (ACE) inheritance.

Access control entry inheritance abbreviationsWindows XP %systemroot% directory and data drive DACL settings

The following are the default DACL settings for the %systemroot% directory and for the data drive in Windows XP.Windows Vista data drive DACL settings

The following are the new Windows Vista DACL settings for data drives that are created by using the Format.exe program.Windows Vista %systemroot% directory DACL settings

How to disable data drive migration when you build your image

In some environments, you may not want to convert the ACLs of your data drives. Scenarios in which you may not want to convert the ACLs of your data drive include the following:

• If your data drive is shared and if you use the BUILTIN\Users ACLs to gain modify access.
• If you have many data files and many directories on your data drive, and you are not experiencing data access issues.
  
  Note In this scenario, changing the ACLs is unnecessary and may significantly increase Windows Vista installation time.

Note The Windows Automated Installation Kit (WAIK) contains a set of deployment tools. Guidance about how to use the deployment tools is available from the Microsoft Download Center. WAIK is targeted at corporate customers who are doing automated Windows deployment. For more information about WAIK, visit the following Web site: To disable data drive migration, follow these steps.

1. Create a directory to store the Windows Imaging Format (WIM) file. For example, create a C:\VistaRTM\WIM directory.
2. Create a directory to store the uncompressed operating system image. For example, create a C:\VistaRTM\OS directory.
3. Copy the applicable Install.wim file to the temporary WIM directory that you created in step 1. For example, type the following command at a command prompt to copy the Install.wim file from the Windows Vista installation media:
   Copy e:\sources\install.wim c:\VistaRTM\WIM\install.wim
4. Copy the image filter driver from the WAIK deployment tools to the C:\VistaRTM\Driver directory. To do this, follow these steps:
   1. Click Start
      Collapse this imageExpand this image

      
      , type cmd in the Start Search box, right-click cmd.exe in Programs list, and then click Run as administrator.
      
      Collapse this imageExpand this image

      
      If you are prompted for an administrator password or for confirmation, type the password, or click Continue.
   2. At the command prompt, type the following commands. Press ENTER after each command.
      
      cd c:\VistaRTM\Driver\
      wimfltr.sys
5. At the elevated command prompt, mount the applicable .wim image. For example, type the following command at the command prompt:
   Imagex.exe /MountRW c:\VistaRTM\WIM\install.WIM 1 c:\VistaRTM\OS
   Note "1" is the value of the image index in the Install.wim file. Because the Install.wim file can list multiple Windows edition images, you should use the imagex /info install.wim command to display all the Windows editions in the Install.wim file. When you have identified the correct index for the Windows edition, use that value together with the /MountRW command.
   
   For more information about the ImageX tool and about WIM, visit the following Microsoft Web site:
   http://technet.microsoft.com/en-us/windowsvista/aa905070.aspx (http://technet.microsoft.com/en-us/windowsvista/aa905070.aspx)
6. Edit the system registry hive for the WIM image. To do this, follow these steps.
   
   Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
   322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows
   1. Click Start
      Collapse this imageExpand this image

      
      , type regedit in the Start Search box, and then click regedit in the Programs list.
      
      Collapse this imageExpand this image

      
      If you are prompted for an administrator password or for confirmation, type the password, or click Continue.
   2. In Registry Editor, locate and then click HKEY_LOCAL_MACHINE, and then click Load Hive on the File menu.
   3. In the Load Hive dialog box, select the SYSTEM directory in the Windows Vista directory, and then click Open. For example, select the C:\VistaRTM\OS\Windows\System32\config\SYSTEM directory.
   4. Type TEMP_HKLM in the Key Name box to create a temporary HIVE entry, and then click OK.
   5. Locate and then click the following registry subkey.
      HKEY_LOCAL_MACHINE\TEMP_HKLM\Setup
   6. On the Edit menu, point to New, and then click DWORD Value.
   7. Type DDACLSys_Disabled, and then press ENTER.
   8. Right-click DDACLSys_Disabled, and then click Modify.
   9. In the Value data box, type 1, and then click OK.
7. After you modify the image, seal the image. To do this, type the following command at a command prompt:
   imagex.exe /UnMount /commit c:\VistaRTM\OS
8. Replace the original Install.wim file by using the modified image. To do this, type the following command at a command prompt:
   copy C:\VistaRTM\OS\install.wim E:\sources\install.wim

How to define a protected drive DACL

Restrict file and directory creation for standard users

To specify that standard users cannot create directories or files outside their user profiles, run the following command at an elevated command prompt:

Enable standard users to create top-level directories

To specify that standard users can create top-level directories and that they will be the owners of a directory and all its subdirectories, run the following command at a command prompt:

How to define a protected directory for a specific user

To specify that only a specific user can access a file or a directory outside the user profile, follow these steps:

1. To define a protected directory, you must first obtain the security identifier (SID) of the user who is currently logged on. To obtain the SID, run the following command at a command prompt:
   whoami /all
2. Use the Cacls.exe command-line tool to specify a protected directory. To do this, type the following command at a command prompt:
   Cacls Directory /S: D:PAI(A;OICI;GA;;;SID)(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)
   Note Directory represents the directory path of the directory that you want to configure. SID represents the user’s SID.

The following sample commands use the PersonalSecureFolder directory. This directory is located in the D:\ directory.

• To determine the security access of the D:\PersonalSecureFolder directory, type the following command at a command prompt:
  icacls.exe PersonalSecureFolder
  The command generates the following output:

  BUILTIN\Administrators:(I)(F)
  BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
  NT AUTHORITY\SYSTEM:(I)(F)
  NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
  NT AUTHORITY\Authenticated Users:(I)(M)
  NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
  

• To run the cacls.exe command in the D:\PersonalSecureFolder directory, type the following command at a command prompt:
  cacls D:\PersonalSecureFolder /S: D:PAI(A;OICI;GA;;; S-1-5-21-2840286564-3180458239-1922922813-1001)(A;OICI;GA;;;SY)(A;OICI;GA;;;BA)
• To determine the new NTFS DACL for the D:\PersonalSecureFolder directory, type the following command at a command prompt:
  icacls.exe D:\PersonalSecureFolder
  The command generates the following output:

  HomePC\Denise:(F)
  HomePC\Denise:(OI)(CI)(IO)(F)
  NT AUTHORITY\SYSTEM:(F)
  NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
  BUILTIN\Administrators:(F)
  BUILTIN\Administrators:(OI)(CI)(IO)(F)