How to limit rights on C drive for Authenticated Users

-
In some cases, it can be interesting to control the level of authorization that we leave to users on the C: drive. 
With this in mind and to respond to certain customer requests, I made a PowerShell script to limit write rights for authenticated users using the icacls command.

The script is available on github : https://github.com/ChrisMogis/DriveC_RightsModification

Script details

<#
.DESCRIPTION
This script allows you to revoke user rights in C:
and thus prevent creating folders or files anywhere on the hard disk system.

.NOTES
  Version:        1.0
  Author:         Christopher Mogis
  Creation Date:  07/11/2023
#>

#Script Parameters
Param(
[Parameter(Mandatory=$true)]
[ValidateSet("Remove", "Add")]
[String[]]
$Param
)

#Variables
$Date = Get-Date

#Log Folder
Function CreateLogsFolder
  {
    If(!(Test-Path "C:\CCMTune\Logs\"))
    {
    Write-Host "$($Date) : Create logs folder C:\CCMTune\Logs"
    New-Item -Force -Path "C:\CCMTune\Logs\" -ItemType Directory
 }
 else
{
    Write-Host "$($Date) : The folder C:\CCMTune\Logs\ already exists !"
    }
  }

#Create Log Folder
    CreateLogsFolder

#Remove right
If ($Param -eq "Remove")
  {
  #Righs modification
  $Logs = "C:\CCMTune\Logs\CCMTRemoveRightsOnC.log"
  Remove-Item -Path "C:\CCMTune\Logs\CCMTAddRightsOnC.log" -Force
  Write-Output "$($Date) : Remove user rights on C:" | Tee-Object -FilePath $Logs -Append
  Invoke-Expression -Command "icacls C:\ /remove:g *S-1-5-11" | Tee-Object -FilePath $Logs -Append
  }

#Add right
If ($Param -eq "Add")
  {
  #Righs modification
  $Logs = "C:\CCMTune\Logs\CCMTAddRightsOnC.log"
  Remove-Item -Path "C:\CCMTune\Logs\CCMTRemoveRightsOnC.log" -Force
  Write-Output "$($Date) : Add user rights on C:" | Tee-Object -FilePath $Logs -Append

Invoke-Expression -Command "icacls C:\ /grant *S-1-5-11:'(AD)'" | Tee-Object -FilePath $Logs -Append
  Invoke-Expression -Command "icacls C:\ /grant *S-1-5-11:'(OI)(CI)(IO)M'" | Tee-Object -FilePath $Logs -Append
  }

Script execution

The script has two parts, the first allows you to delete user rights and the second part allows you to restore them.

Command line to remove permissions:
  • powershell.exe -ExecutionPolicy Bypass -file DriveC_RightsModification.ps1 -Param Remove
Command line to restore permissions:
  • powershell.exe -ExecutionPolicy Bypass -file DriveC_RightsModification.ps1 -Param Add

Logs

A logs files is created depending on the action taken in the CCMTune directory on C:
  • CCMTRemoveRightOnC.log for "Remove" action
  • CCMTAddRightOnC.log for "Add" action
In this log file are stored the information below :


Demo video





Popular posts from this blog

How to implement Applocker with Microsoft Intune

-
Image
Applocker is tool included in Windows 10 and 11. It permit to set up policies or rules for allow or deny apps from running on your device.  We can create Applocker rules for below file types:  EXE files : .exe and .com Windows Installer files : .msi, mst, and .msp Scripts : .ps1, .bat, .cmd, .vbs, and .js DLLs : .dll and .ocx Packaged apps and packaged app installers : .appx and .msix. Sources :  https://learn.microsoft.com/fr-fr/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections The Applocker solution purpose a multiple possibilities for secure your device. We have possibilities to block or allow apps. By default, it is recommended to allow all applications and add a custom rules for a scpecific application. Prérequisites for used Applocker Device with Windows 10 or 11 for prepare the Applocker rules Application Identity service enabled Enable Applocker For create an Applocker policy, you need to login as an admin
Read more »

How to reset computer in OOBE mode

-
Image
When you receive a new computer, it may contain various applications that are useless in a business context. To solve this problem and start with a clean PC, it may be interesting to reset it.  Here is two procedures that can be performed in OOBE mode Manual process Click CTRL + Shift + F3 , your computer restart. The Windows session is automatically opened Go to Start Menu \ Parameters \ Update & Security \ Recovery and click on Get Started Select Remove everything Select Local reinstall Click Next Click Reset Your computer restarts and proceeds to a complete reinstallation. With Command Line Click  Shift + F10 , your computer restart. Used this command line : systemreset -factoryreset Select Remove everything Select Remove files and clean the drive Click Reset Your computer restarts and proceeds to a complete reinstallation.
Read more »

Microsoft Intune, Uninstall Win32 app with the company portal

-
Image
With the arrival of build 2307 of Microsoft Intune , Microsoft provides a new option on the Application part. Source :  What's new in Microsoft Intune | Microsoft Learn This option allows us to offer users the possibility of uninstalling an Win32 application via the Company Portal. Below you will find the procedure to activate the option in the Microsoft Intune console. Prerequisites Intune tenant up to date Win32 app available in the company portal A valid Uninstall command line Enabling the Uninstall option Go to  Intune.microsoft.com Navigate to Apps / Windows Select an  Win32 App and click Properties On Program , click Edit Activate the option Allow available uninstall  by switching the option to Yes Click Review + Save for all sections and click Save User side Open the company portal then select an available Win32 application. After updating, you should see the mention Uninstall.  Click Uninstall for remove the application.
Read more »