My latest TechNet article, “How to Shoot Yourself in the Foot with Security, Part 2: To ACL or Not To ACL” was just published in the TechNet Newsletter. It turns out that ACLs is one of the major ways people destroy their systems, and of course it is also one of the major ways to protect the system. As Steve pointed out in his blog, people setting unsupported ACLs on operating system binaries was what made MS05-051 blow up. Microsoft does not test on custom ACLs on the OS. We made that clear in KB 885409 over a year ago. That makes ACLs critically important, but also quite tricky. The article was written with the hope that it dispels some of the myth around ACLs and points out what to do and not to do with them. Most of the items in there are not absolutes – there are exceptions – but generally, they are good advice and they will keep you from having to call for technical support on an unsupported OS configuration. ACLs is actually one of the major support call generators. Hopefully, this will do some small part to solve that problem.
By the way, it deserves to mention that with lead times on articles being what they are, this article was written in September, before MS05-051 came out. Take note of the first way to shoot yourself in the foot with ACLs in the article. It would have prevented the problems with the patch in MS05-051 had people followed it.
If you have comments on the article or ACLs in general, feel free to follow up to this blog post.