1

When you purchase a windows PC nowadays, you don't actually "own" the whole disk...

There are so many ACLs on each folder that there are portions of it you actually can access only through a complex sequence of actions requiring skills well beyond the average PC user. You have to drill down to deeply buried dialog boxes accessible through concealed buttons. You have to understand at which level of the hierarchy you have to take ownership, remove ACLs etc...
Yet when you think of it, that's your PC, that's what the "P" of PC originally stand for...
So I'm toying with the idea of just stripping the disk of all ACLs I just purchased and leave standard file protections do the basic protection work... Just like previous century Windows used to do... (before I chmod -R 777 ;-)

Has anybody done that already and nevertheless survived in reasonably good shape for a reasonable amount of time ?

Any technical advice to do that ? Powershell script ? basic script using iCACLS ?

Alain Pannetier
  • 804

3 Answers3

11

I don't understand why you need to do this. UAC stops me writing files in places I shouldn't (system folders, program files etc.) ACLs are needed to make that happen. Why would you want to change?

What's more, if you are a developer, and I presume you are since you are asking the question here, using such a non-standard machine will only result in you producing software that fails when it runs on a standard machine, because all the normal security will be present.

All developers should run with UAC turned up full and should never modify the ACLs of system components.

David Heffernan
  • 1,210
3

I suspect that what you are proposing could easily end up being counter-productive, with your PC ending up be less "yours" and more the propertery of some bot-herder.

3

Here is a powershell function to remove ACLs of a specifed user from directories. 

function Nuke {
param(
    $Directory,
    $Group
)
$acl = get-acl $Directory
$account = new-object system.security.principal.ntaccount($Group)
$acl.purgeaccessrules($account)
set-acl -aclobject $acl -path $Directory
}

Not sure how much luck you will have when you point it at the root of C

pizzim13
  • 201
  • 2
  • 7