Security Basics mailing list archives
Re: Audit access rights on shared folders
From: krymson () gmail com
Date: 19 Feb 2010 19:12:22 -0000
Good question, and you'll find that many of those nice tools to audit permissions dump things out in a completely unmanagable fashion. It is not uncommon for this exact need to be the start down the road of scripting. I've personally found PowerShell to be rather nice in this regard, and you can make your script in a way that removes duplicate entries and maybe only reports on explicit permissions and ignores everything inherited (unless it disappears). Google up "powershell auditing permissions on Windows" without the quotes for some hits. VBScript and others will do just fine as well. If you want to go commercial, I've always like ScriptLogic's Enterprise Security Reporter tool, which makes nice reports on explicit file permissions. If you just want to do this one-time, I believe they have full-function trials still. If you only want to do this every now and then, I bet you can still figure out how to keep using a trial copy by utilizing some registry snapshotting tools... (assuming no changes in the 3 years since I've toyed with it).* *It's funny how my possible ability to "pirate" software on a limited basis may help me promote that tool to others...a lesson we've stopped listening to since 2003ish... <- snip -> Hi list, in a typical Active Directory (Windows server 2003) corporate environment, I would like to test access rights of all AD users on those folders that are used for work. The aim is to insure that confidential folders (like HR documents, confidential agreements, Top Management folders...) are properly restricted only to authorized people. I found that Dumpsec 2.8.2 (the old and portable version) is quite useful for this aim, even if in case of shortcut sometimes it goes in loop. However the problem is that the result is too difficult and long to be analysed, because you have to manually go through all the directory tree in order to see who has access right to a specific folder. Look at the example below: Path (exception dirs and files) Account Own Dir File \\SRV\D$\Clients\Letters\*.*client\ guest1 dx001f01ff \\SRV\D$\Clients\Letters\*.*client\ Administrators all \\SRV\D$\Clients\Letters\*.*client\ JPWQThomas o all \\SRV\D$\Clients\Letters\*.*client\ SYSTEM all \\SRV\D$\Clients\Letters\*.*client\ EMasreten all \\SRV\D$\Clients\Letters\*.*client\ Users RWXD RWXD How can I do it in a more effective way? Is there a tool (or a windows script) that can help me performing this test? Moreover, since I am not a SYS ADMIN of servers I have to audit, I would like to have something that does not require to be installed (i.e. portable applications or relying on DOS/NET commands). Thank you for your help! giopas ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Audit access rights on shared folders giopas (Feb 19)
- <Possible follow-ups>
- Re: Audit access rights on shared folders krymson (Feb 19)