Using SecPol to block access to a specific folder
Customers operating in high security environments, usually want to block access to specific folders. Using this method I was able to safely remove the write access from users without harming the functionality of Windows. BUT!!!! Please use at your own risk, and test in your own labs before executing and implementing. The use of SecPol to achieve this was passed onto me by friend, so shoutout to them :)
- Launch MMC (Run > MMC.exe)
- Add Security Templates (File > Add/Remove Snap-in… > Security Templates)
- You’ll have to set the source path to C:\Windows\security\templates
- Delete the default generated source (Right click the source and delete)
- Then right click and click on “New Template Search Path…”
- Set it to: C:\Windows\security\templates
- Create a new template (Right click on the source > New Template)
- Name it “BlockFavoritesFolderAccess”
- Expand the new directory and select file system folder.
- Either right click on it or click on Actions > Add File…
- Navigate to the user’s specific profile. (Users > Username > Favorites)
- Add or select the user or group, set the permission, and click OK
- Allow Read
- Deny Write
- Uncheck everything else
- Select “Replace existing permission on all sub folders and files with inheritable permissions, and click OK
- Close out of MMC (no need to “Save console settings to Console”
- Then select yes to save the newly created .inf file
Note: Notice where the .inf file is stored.
Now you have an inf file to run Secedit against, which will set the decretory ACLs you specified.
Create a script/batch file or manually copy that newly created inf file into C:\Windows\Security\Templates of the machine your targeting, and run the following command:
- Open CMD (Admin)
- Navigate to C:\Windows\Security\Templates
- Then Run:
- secedit /configure /db BlockFavoritesFolderAccess.sdb /cfg BlockFavoritesFolderAccess.inf /overwrite /log BlockFavoritesFolderAccess.log
- Type “y” for Yes to accept the override
