source: vbox/trunk/doc/manual/en_US/dita/topics/install-win-installdir-req.dita@ 105573

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
<topic xml:lang="en-us" id="install-win-installdir-req">
  <title>Windows Installation Directory Security Requirements</title>

  <body>
    <p>The installation directory on Windows hosts must meet certain security requirements, in order to be accepted by
      the Windows installer. </p>
    <p>This also applies for upgrades of <ph conkeyref="vbox-conkeyref-phrases/product-name"/>. </p>
    <p>For example, when installing <ph conkeyref="vbox-conkeyref-phrases/product-name"/> into a custom location at
        X:\Data\MyPrograms\<ph conkeyref="vbox-conkeyref-phrases/product-name"/>, all parent directories of this path
      (namely X:\Data and X:\Data\MyPrograms) must meet the following Discretionary Access Control List (DACL).
      <pre xml:space="preserve">
        Users               S-1-5-32-545:(OI)(CI)(RX)
        Users               S-1-5-32-545:(DE,WD,AD,WEA,WA)
        Authenticated Users S-1-5-11:(OI)(CI)(RX)
        Authenticated Users S-1-5-11:(DE,WD,AD,WEA,WA)
      </pre>Directory inheritance must also be disabled for all parent directories. </p>
    <p>You can use the <codeph>icacls</codeph> Windows command line tool to modify a directory to meet the security
      requirements. For example: <pre xml:space="preserve">
      icacls &lt;Directory&gt; /reset /t /c
      icacls &lt;Directory&gt; /inheritance:d /t /c
      icacls &lt;Directory&gt; /grant *S-1-5-32-545:(OI)(CI)(RX)
      icacls &lt;Directory&gt; /deny  *S-1-5-32-545:(DE,WD,AD,WEA,WA)
      icacls &lt;Directory&gt; /grant *S-1-5-11:(OI)(CI)(RX)
      icacls &lt;Directory&gt; /deny  *S-1-5-11:(DE,WD,AD,WEA,WA)
      </pre>Note that these commands must be repeated for all parent directories (X:\Data and X:\Data\MyPrograms
      in this example).</p>
  </body>

</topic>