File permissions on Windows - chmod 400 in Powershell

9 June 2022

Problem Statement

chmod 400 is recommended for the secret key files most of the times. But how does one reliably know that this happens on a file inside Windows environment

Theory / Basis

Windows uses something called Access Control Lists to specify the permissions on a given entity (File/Folder) REF: https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists

Sequence of Commands to run

Inspect the original ACL information on the key file Note the FullControl and the Access for other parties apart from the Current user XXX

PS > $pemfile="C:\Users\XXX\.ssh\naren-uswest1-aws.pem"
PS > Get-Acl $pemfile | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\XXX\.ssh\naren-uswest1-aws.pem
Owner  : XXXPC\XXX
Group  : XXXPC\XXX
Access : NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  FullControl
         XXX\XXX Allow  FullControl
Audit  :
Sddl   : O:S-1-5-21-2530534273-3221850710-2763415746-1001G:S-1-5-21-2530534273-3221850710-2763415746-1001D:PAI(A;;FA;;;
         S-1-5-21-2530534273-3221850710-2763415746-1001)

Get the ACL handle to the file

PS > $acl = Get-Acl $pemfile

Get the current username

PS > $username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

Create a new AccessRule object with intended permission to be applied to ACL and apply to the ACL then the ACL to the file

PS > $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($username,"Read","Allow")
PS > $acl.SetAccessRule($accessRule)
PS > $acl | Set-Acl $pemfile

Disabling the inheritance (Equivalent to File -> Right click -> Properties -> Security -> Advanced -> Disable Inheritance)

PS > $acl.SetAccessRuleProtection($true,$false)
PS > $acl | Set-Acl $pemfile

Inspect the file after applying the ACL and disabling the inheritance

Observe the Access attribute doesn't have FullControl anymore and just has the required permissions for the current user

PS > Get-Acl $pemfile | Format-List

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Users\XXX\.ssh\naren-uswest1-aws.pem
Owner  : XXXPC\XXX
Group  : XXXPC\XXX
Access : XXXPC\XXX Allow  Read, Synchronize
Audit  :
Sddl   : O:S-1-5-21-2530534273-3221850710-2763415746-1001G:S-1-5-21-2530534273-3221850710-2763415746-1001D:PAI(A;;FR;;;S-1-5-21-2530534
         273-3221850710-2763415746-1001)

Latest Blogposts

How to find a linux machine is a VM (Virtual Machine) or a Bare Metal

How to find a linux machine is a VM (Virtual Machine) or a Bare Metal

If you can SSH into a linux machine and want to find out if its baremetal or Virtual Machine

7 November 2023

Storing Github access token in git credential store

Storing Github access token in git credential store

Using git credentials store the github access token to avoid the re-prompting of username and pwd

4 April 2023

Token generation for Registering Self Hosted Github Runner via REST API

Token generation for Registering Self Hosted Github Runner via REST API

Explains how to generate a token using github API to be used in turn with Github self hosted runner registration

21 March 2023

Setting up a Self Hosted Github Runner

Setting up a Self Hosted Github Runner

Explains how to setup a Github self hosted runner and register

20 March 2023

Managing the NodeJS versions on Windows

Managing the NodeJS versions on Windows

Node Version Manager (nvm) helps in managing multiple NodeJS versions

13 November 2022

Customizing the Powershell terminal with oh-my-posh

Customizing the Powershell terminal with oh-my-posh

Instructions on customizing the terminal in powershell with oh-my-posh and winget

7 July 2022