RE: File Permission Audit Tool - Windows

["Martyn Smith" <MSmith () col-westanglia ac uk>]

You can also use SetACL to do an ACL backup recursively which you can then compare against your desired policy. 

Martyn Smith
IT Network Coordinator
The College of West Anglia


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Big Joe Jenkins
Sent: 26 September 2007 14:49
Cc: security-basics () securityfocus com; security-basics-return-45887 () securityfocus com
Subject: Re: File Permission Audit Tool - Windows

Microsoft Baseline Security Analyzer does a nice job of summarizing 
permissions set on our shared folders on whatever system you run it 
against.

This won't help with non-shared folders, but it may be a good start.


On Tue, 25 Sep 2007, krymson () gmail com wrote:

> I wish I could give you an easy open source/free tool, but I can't. Hopefully someone else can so I can also use it. 
> :)
>
> In case you do talk to some vendors, the biggest problem with reporting permissions is dealing with duplicates. Tools 
> like xcacls will report every single object or folder, whether it is inherited or different from its parent. You 
> really want to eliminate all that garbage and only report explicit permissions, with the assumption that inheritance 
> is otherwise present downstream. Almost an exception report.
>
>
> 1) Free, but nearly useless
> You could use cacls/xcacls, but the output you get will be next to useless.
>
> 2) Free, but a little effort
> Windows PowerShell allows for some excellent scripting of permissions audits and other such stuff. If you know PS, 
> you should use this as it affords you a lot of customizable power.
>
> 3) Commercial, but very cool
> I really enjoyed my trials of ScriptLogic's Enterprise Security Reporter [1] a year ago. You can get some nice 
> reports on permissions
>
> [1] http://www.scriptlogic.com/products/enterprisesecurityreporter/
>
> <- snip ->
> I am looking for audit tool that will give me a report on all the file permission on a windows 2000/2003 servers. I 
> will prefer open source but would be willing to look at commercial software if it is superior.

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error you must take no action based on them - nor must you copy or 
show them to anyone.  Please notify the College of West Anglia on 44 - (0) 1553 815325.

This email contains the views of the sender and may not be respresentative of the views of The College of West Anglia.

This footnote also confirms that this email message has been swept for the presence of computer viruses.
**********************************************************************