Whats the right way to protect a backup script in windows?

Archives Ansible Project
1

I have a robocopy batch script to use with diskshadow to sync files to a backup server. in vagrant, i tried this, but it prevents the upload of the script

`

  • name: make a folder for backup scripts
    win_file:
    path: C:\backupscripts
    state: directory

  • name: set permissions for backup script folder
    win_acl:
    path: C:\backupscripts
    user: Administrator
    type: allow
    rights:

  • FullControl

  • name: set permissions for backup script folder
    win_acl:
    path: C:\backupscripts
    user: Users
    type: deny
    rights:

  • FullControl

  • name: upload backup script
    win_template:
    src: sync.bat.j2
    dest: C:\backupscripts\sync.bat

`

but that results in

`
TASK [upload backup script] ****************************************************
fatal: [wc]: FAILED! => {“changed”: false, “checksum”: “992922fbb15e0a8402e5d47e92e23d2503bd6ac6”, “module_stderr”: “Exception calling "Run" with "1" argument(s): "Exception calling "Invoke" with \r\n"0" argument(s): "The running command stopped because the preference variable \r\n"ErrorActionPreference" or common parameter is set to Stop: Access to the path \r\n’C:\backupscripts\sync.bat’ is denied.""\r\nAt line:65 char:5\r\n+ $output = $entrypoint.Run($payload)\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n + CategoryInfo : NotSpecified: (:slight_smile: , ParentContainsErrorRecordE \r\n xception\r\n + FullyQualifiedErrorId : ScriptMethodRuntimeException\r\n \r\n”, “module_stdout”: “”, “msg”: “MODULE FAILURE”, “rc”: 1}

`

So whats the right way to do this? Im new to windows, so please tell me if im missing anything. the target is windows server 2012-r2

2

Deny rights always override Allow rights in Windows ACLs. If a user is a member of the Administrator group AND the Users group the deny you applied on the 2nd win_acl task will cause an access is denied message. I’m pretty sure by default an Admin account is a member of both and that’s probably what is tripping you up.

As a side note, it’s better not not apply FullControl as a right but use the granular entries to give the user only what they need. That’s probably something you can look into once this is all working and you have a better understanding of the whole ACL side.

Thanks

Jordan

3

this seems to work. seems the easiest way to “clear” existing permissions to start over by disabling the inherited permissions. a normal user cant list and gets access denied if they try to open a specific file that they know the path to. an admin can do anything. am i missing anything? is there a better way?

`

  • name: disable inheritance on backupscripts
    win_acl_inheritance:
    path: C:\backupscripts
    state: absent

  • name: set administrator permissions for backup folder
    win_acl:
    path: C:\backupscripts
    user: Administrators
    type: allow
    rights:

  • FullControl

  • name: set SYSTEM permissions for backup folder
    win_acl:
    path: C:\backupscripts
    user: SYSTEM
    type: allow
    rights:

  • FullControl

`