You are here: Compliance Check Types > Windows Configuration > ACL Format > Launch Permission Control Checks

Launch Permission Control Checks

A launch ACL is identified by the keyword launch_acl. The ACL name must be unique to be used with a DCOM launch permissions item. A launch ACL can contain one or multiple user entry.

Usage

<launch_acl: ["name"]>

 

<user: ["user_name"]>

Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. 20

acl_inheritance: ["value"]

acl_apply: ["value"]

(optional) acl_allow: ["rights value"]

(optional) acl_deny: ["rights value"]

</user>

 

</acl>

Syntax

Associated Types

Allowed Types

acl_inheritance

not inherited

inherited

acl_apply

this object only

acl_allow

acl_deny

These settings are optional and are used to define the rights a user has on the object.

Generic rights:

  • local launch
  • remote launch
  • local activation
  • remote activation

This ACL only works against Windows XP/2003/Vista (and partially against Windows 2000).

An example launch access control check is shown below:

<launch_acl: "2">

 

<user: "Administrators">

acl_inheritance: "not inherited"

acl_apply: "This object only"

acl_allow: "Remote Activation"

</user>

 

<user: "INTERACTIVE">

acl_inheritance: "not inherited"

acl_apply: "This object only"

acl_allow: "Local Activation" | "Local Launch"

</user>

 

<user: "SYSTEM">

acl_inheritance: "not inherited"

acl_apply: "This object only"

acl_allow: "Local Activation" | "Local Launch"

</user>

 

</acl>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.