From ac57187ec9bbd4726cc570c0ec1d45093113868b Mon Sep 17 00:00:00 2001
From: Nishad Mathur <nishadmathur@gmail.com>
Date: Thu, 16 Apr 2026 12:20:35 -0700
Subject: [PATCH] Improve windows stemcell hardening by explicitly handeling
 inherited acls

ai-assisted=yes
[TNZ-94650]
---
 .../jobs/check-system/templates/run.ps1       |  7 ++-
 modules/BOSH.Utils/BOSH.Utils.psm1            | 58 ++++++++++++++-----
 2 files changed, 51 insertions(+), 14 deletions(-)

diff --git a/acceptance_test/assets/bwats-release/jobs/check-system/templates/run.ps1 b/acceptance_test/assets/bwats-release/jobs/check-system/templates/run.ps1
index 830634a57..6658b2dc8 100644
--- a/acceptance_test/assets/bwats-release/jobs/check-system/templates/run.ps1
+++ b/acceptance_test/assets/bwats-release/jobs/check-system/templates/run.ps1
@@ -131,7 +131,8 @@ function Test-Acls {
 
         $errCount = 0
 
-        Get-ChildItem -Path $path -Recurse | ForEach-Object {
+        $items = @(Get-Item -Path $path) + @(Get-ChildItem -Path $path -Recurse)
+        $items | ForEach-Object {
             $name = $_.FullName
             If (-Not ($_.Attributes -match "ReparsePoint")) {
                 Get-Acl $name | Select-Object -ExpandProperty Access | ForEach-Object {
@@ -140,6 +141,10 @@ function Test-Acls {
                         $errCount += 1
                         Write-Host "Error ($name): $ident"
                     }
+                    If ($_.IdentityReference -eq "NT AUTHORITY\Authenticated Users" -and ($path -eq "C:\bosh" -or $path -eq "C:\var")) {
+                        $errCount += 1
+                        Write-Host "Error ($name): Authenticated Users should not have access"
+                    }
                 }
             }
         }
diff --git a/modules/BOSH.Utils/BOSH.Utils.psm1 b/modules/BOSH.Utils/BOSH.Utils.psm1
index 5961c6922..7e2fe7cd7 100644
--- a/modules/BOSH.Utils/BOSH.Utils.psm1
+++ b/modules/BOSH.Utils/BOSH.Utils.psm1
@@ -100,33 +100,49 @@ function Protect-Dir
         [bool]$disableInheritance = $True
     )
 
+    if ($disableInheritance)
+    {
+        Write-Log "Protect-Dir: Disable Inheritance"
+        icacls.exe $path /inheritance:d /T
+        if ($LASTEXITCODE -ne 0)
+        {
+            Throw "Error disabling inheritance for $path exited with $LASTEXITCODE"
+        }
+    }
+
     Write-Log "Protect-Dir: Grant Administrator"
-    cmd.exe /c cacls.exe $path /T /E /P Administrators:F
+    icacls.exe $path /grant "Administrators:(OI)(CI)F" /T
     if ($LASTEXITCODE -ne 0)
     {
         Throw "Error setting ACL for $path exited with $LASTEXITCODE"
     }
 
     Write-Log "Protect-Dir: Remove BUILTIN\Users"
-    cmd.exe /c cacls.exe $path /T /E /R "BUILTIN\Users"
+    icacls.exe $path /remove "BUILTIN\Users" /T
     if ($LASTEXITCODE -ne 0)
     {
         Throw "Error setting ACL for $path exited with $LASTEXITCODE"
     }
 
     Write-Log "Protect-Dir: Remove BUILTIN\IIS_IUSRS"
-    cmd.exe /c cacls.exe $path /T /E /R "BUILTIN\IIS_IUSRS"
+    icacls.exe $path /remove "BUILTIN\IIS_IUSRS" /T
     if ($LASTEXITCODE -ne 0)
     {
         Throw "Error setting ACL for $path exited with $LASTEXITCODE"
     }
 
-    if ($disableInheritance)
+    Write-Log "Protect-Dir: Remove NT AUTHORITY\Authenticated Users"
+    icacls.exe $path /remove "NT AUTHORITY\Authenticated Users" /T
+    if ($LASTEXITCODE -ne 0)
     {
-        Write-Log "Protect-Dir: Disable Inheritance"
-        $acl = Get-ACL -LiteralPath $path
-        $acl.SetAccessRuleProtection($True, $True)
-        Set-Acl -LiteralPath $path -AclObject $acl
+        Throw "Error setting ACL for $path exited with $LASTEXITCODE"
+    }
+
+    Write-Log "Protect-Dir: Remove Everyone"
+    icacls.exe $path /remove "Everyone" /T
+    if ($LASTEXITCODE -ne 0)
+    {
+        Throw "Error setting ACL for $path exited with $LASTEXITCODE"
     }
 }
 
@@ -137,6 +153,16 @@ function Protect-Path
         [bool]$disableInheritance = $True
     )
 
+    if ($disableInheritance)
+    {
+        Write-Log "Protect-Path: Disable Inheritance"
+        icacls.exe $path /inheritance:d
+        if ($LASTEXITCODE -ne 0)
+        {
+            Throw "Error disabling inheritance for $path exited with $LASTEXITCODE"
+        }
+    }
+
     Write-Log "Protect-Path: Grant Administrator"
     icacls.exe $path /grant "Administrators:(OI)(CI)F"
     if ($LASTEXITCODE -ne 0)
@@ -158,12 +184,18 @@ function Protect-Path
         Throw "Error setting ACL for $path exited with $LASTEXITCODE"
     }
 
-    if ($disableInheritance)
+    Write-Log "Protect-Path: Remove NT AUTHORITY\Authenticated Users"
+    icacls.exe $path /remove "NT AUTHORITY\Authenticated Users"
+    if ($LASTEXITCODE -ne 0)
     {
-        Write-Log "Protect-Path: Disable Inheritance"
-        $acl = Get-ACL -LiteralPath $path
-        $acl.SetAccessRuleProtection($True, $True)
-        Set-Acl -LiteralPath $path -AclObject $acl
+        Throw "Error setting ACL for $path exited with $LASTEXITCODE"
+    }
+
+    Write-Log "Protect-Path: Remove Everyone"
+    icacls.exe $path /remove "Everyone"
+    if ($LASTEXITCODE -ne 0)
+    {
+        Throw "Error setting ACL for $path exited with $LASTEXITCODE"
     }
 }