diff --git a/ntfs_acl.py b/ntfs_acl.py
index 24a11ea..eecd01d 100644
--- a/ntfs_acl.py
+++ b/ntfs_acl.py
@@ -293,6 +293,8 @@ class SID(Constructable):
 
 SID_ADMINISTRATORS = SID('S-1-5-32-544') # the built-in Administrators group
 SID_SYSTEM = SID('S-1-5-18') # the Local System (NT AUTHORITY\SYSTEM) account
+SID_USERS = SID('S-1-5-32-545')
+SID_AUTH_USERS = SID('S-1-5-11') # Authenticated Users
 SID_EVERYONE = SID('S-1-1-0')
 
 # as empiricaly set by Windows 10
diff --git a/setup_win10.py b/setup_win10.py
index 25b6996..5174cfa 100755
--- a/setup_win10.py
+++ b/setup_win10.py
@@ -11,6 +11,7 @@ from pathlib import Path
 import subprocess
 import tempfile
 import parted
+from ntfs_acl import *
 
 my_dir = Path(__file__).parent
 if str(my_dir) not in sys.path:
@@ -138,6 +139,16 @@ def setup_part(part, wim, image_name, *, unattend=None, postproc=None, postproc_
             trg = ci_lookup(dir, 'Windows', 'Panther', 'unattend.xml', creating=True, parents=True)
             print(f"Copying unattend file: {unattend} -> {trg}")
             shutil.copy(unattend, trg)
+
+            # Unattend.xml may contain sensitive information, including administrator's
+            # password. We must protect it with correct ACLs.
+            write_sd(
+                    trg,
+                    SecurityDescriptor(dacl=[
+                        ACE(ACE.ALLOW, MASK_FULL_CONTROL, SID_SYSTEM),
+                        ACE(ACE.ALLOW, MASK_FULL_CONTROL, SID_ADMINISTRATORS) ,
+                    ], dacl_inherit=False),
+            )
         for script in postproc:
             script = str(script)
             if '/' not in script: script = f"./{script}"