Whats the right way to protect a backup script in windows?

[pixel fairy]

I have a robocopy batch script to use with diskshadow to sync files to a backup server. in vagrant, i tried this, but it prevents the upload of the script

  - name: make a folder for backup scripts
    win_file:
      path: C:\backupscripts
      state: directory

  - name: set permissions for backup script folder
    win_acl:
      path: C:\backupscripts
      user: Administrator
      type: allow
      rights:
        - FullControl

  - name: set permissions for backup script folder
    win_acl:
      path: C:\backupscripts
      user: Users
      type: deny
      rights:
        - FullControl

  - name: upload backup script
    win_template:
      src: sync.bat.j2
      dest: C:\backupscripts\sync.bat

but that results in

TASK [upload backup script] ****************************************************
fatal: [wc]: FAILED! => {"changed": false, "checksum": "992922fbb15e0a8402e5d47e92e23d2503bd6ac6", "module_stderr": "Exception calling \"Run\" with \"1\" argument(s): \"Exception calling \"Invoke\" with \r\n\"0\" argument(s): \"The running command stopped because the preference variable \r\n\"ErrorActionPreference\" or common parameter is set to Stop: Access to the path \r\n'C:\\backupscripts\\sync.bat' is denied.\"\"\r\nAt line:65 char:5\r\n+     $output = $entrypoint.Run($payload)\r\n+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n    + CategoryInfo          : NotSpecified: (:) [], ParentContainsErrorRecordE \r\n   xception\r\n    + FullyQualifiedErrorId : ScriptMethodRuntimeException\r\n \r\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}

So whats the right way to do this? Im new to windows, so please tell me if im missing anything. the target is windows server 2012-r2

[Jordan Borean]

Deny rights always override Allow rights in Windows ACLs. If a user is a member of the Administrator group AND the Users group the deny you applied on the 2nd win_acl task will cause an access is denied message. I'm pretty sure by default an Admin account is a member of both and that's probably what is tripping you up.

As a side note, it's better not not apply FullControl as a right but use the granular entries to give the user only what they need. That's probably something you can look into once this is all working and you have a better understanding of the whole ACL side.

Thanks

Jordan

[pixel fairy]

this seems to work. seems the easiest way to "clear" existing permissions to start over by disabling the inherited permissions. a normal user cant list and gets access denied if they try to open a specific file that they know the path to. an admin can do anything. am i missing anything? is there a better way?

  - name: disable inheritance on backupscripts
    win_acl_inheritance:
      path: C:\backupscripts
      state: absent

  - name: set administrator permissions for backup folder
    win_acl:
      path: C:\backupscripts
      user: Administrators

      type: allow
      rights:
        - FullControl

  - name: set SYSTEM permissions for backup folder
    win_acl:
      path: C:\backupscripts
      user: SYSTEM
      type: allow
      rights:
        - FullControl