Make files copied into a folder not executable?

windows

Is there a way to make any files got copied into a folder not executable by any user?

The folder is writable, but nothing inside can be executed directly.


Solution 1:

Yes, you can remove the execute permissions from the folder by using advanced permissions.

  1. Right-click on the folder name and choose "Properties".

  2. Click the "Security" tab.

  3. Click the "Advanced" button.

  4. Click the "Change Permissions..." button.

  5. Uncheck "Include inheritable permissions from this object's parent"

  6. A window will appear. Click "Add" to keep the existing permissions. You will edit them in the next steps.

  7. Add or select the user or group that you want to restrict from executing files. If you are selecting an existing group, click the "Edit..." button.

  8. The following window will appear. Uncheck the allow checkbox for "traverse folder / execute file" which I've enclosed in red.

    Screenshot of the Windows advanced permissions setting for a folder object.

According to the Microsoft Technet entry on permissions for files and folders, the "traverse folder / execute file" permission does the following:

For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.) Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.)

For files: Execute File allows or denies running program files. (Applies to files only).

Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.

Solution 2:

This is one of the rare cases where using Deny permissions is actually useful. It may be more convenient to add a deny permission than to change the allow permissions.

You can do this from the command line (on Vista or later) like this:

icacls c:\path\to\my\folder /deny Everyone:(OI)(IO)(X)

You can also do it from the GUI if you prefer. You don't need to turn off "Include inheritable permissions from this object's parent" but I recommend you select the "Apply to files only" option.

Solution 3:

This can be done by carefully crafting the permissions on the parent directory. Specifically you want to not grant "Execute" (grant R, not RX) to anyone, especially the special CREATOR-OWNER user. This will deny Execute to everything.

Related

Setting Jumbo Frames Windows Server 2012 LBFO NIC Team
Creating an office network and monitoring all activity without a proxy
deleting out a single file from an old subversion revision from the repository
RDP and New Accounts
How to install java-1.7.0-openjdk-devel on RHEL Server 6.3?
Active directory integration not working properly with winbind and samba
can symbolic links be used within App-V packages
Nginx rewrite: remove .html from URL with arguments
Is mysql 5.6 fit for production use ? What is the difference between Release Candidate and GA?
ntpdate works, but ntpd can't synchronize
Remote disk management on Server 2012
Testing htaccess for 500 server error without actual error