2.2.9 File Security

This section defines how to enable the administrator to specify how to protect files and directories on the client. The ABNF syntax for the entries in this category MUST be as follows.

 Header = "[" HeaderValue "]" LineBreak
 HeaderValue = "File Security"
 Settings = Setting / Setting Settings
 Setting = FileOrDirectoryPath ","  PermPropagationMode 
           "," AclString LineBreak
 FileOrDirectoryPath = String / QuotedString
 PermPropagationMode = DIGIT
 AclString = SDDL / DQUOTE SDDL DQUOTE 

The ABNF specification for the SDDL element above can be found in [MS-DTYP] section 2.5.1.1.

The following table explains each of the settings listed.

Note All numerical values are decimal unless explicitly specified otherwise, or unless preceded by 0x.

Setting key	Explanation
FileOrDirectoryPath	The path to the file or directory that MUST be protected. It MUST be a string or a string enclosed between double quote characters as specified in the ABNF.
PermPropagationMode	Controls whether and how permissions are propagated. It MUST be one of the following values: A value of "0": MUST propagate inheritable permissions to all subfolders and files. A value of "1": MUST replace existing permissions on all subfolders and files with inheritable permissions. A value of "2": MUST NOT allow permissions on this file or folder to be replaced.
AclString	A security descriptor that MUST be applied to the file or directory. The security descriptor MUST conform to the syntax specified in [MS-DTYP] section 2.5.1.1.