Home page logo

basics logo Security Basics mailing list archives

Re: Audit access rights on shared folders
From: krymson () gmail com
Date: 19 Feb 2010 19:12:22 -0000

Good question, and you'll find that many of those nice tools to audit permissions dump things out in a completely 
unmanagable fashion.

It is not uncommon for this exact need to be the start down the road of scripting. I've personally found PowerShell to 
be rather nice in this regard, and you can make your script in a way that removes duplicate entries and maybe only 
reports on explicit permissions and ignores everything inherited (unless it disappears). Google up "powershell auditing 
permissions on Windows" without the quotes for some hits. VBScript and others will do just fine as well.

If you want to go commercial, I've always like ScriptLogic's Enterprise Security Reporter tool, which makes nice 
reports on explicit file permissions. If you just want to do this one-time, I believe they have full-function trials 
still. If you only want to do this every now and then, I bet you can still figure out how to keep using a trial copy by 
utilizing some registry snapshotting tools... (assuming no changes in the 3 years since I've toyed with it).*

*It's funny how my possible ability to "pirate" software on a limited basis may help me promote that tool to others...a 
lesson we've stopped listening to since 2003ish...

<- snip ->
Hi list,

in a typical Active Directory (Windows server 2003) corporate
environment, I would like to test access rights of all AD users on
those folders that are used for work.

The aim is to insure that confidential folders (like HR documents,
confidential agreements, Top Management folders...) are properly
restricted only to authorized people.

I found that Dumpsec 2.8.2 (the old and portable version) is quite
useful for this aim, even if in case of shortcut sometimes it goes in
However the problem is that the result is too difficult and long to be analysed,
because you have to manually go through all the directory tree in
order to see who has access right to a specific folder.

Look at the example below:

Path (exception dirs and files) Account Own Dir File
\\SRV\D$\Clients\Letters\*.*client\ guest1 dx001f01ff
\\SRV\D$\Clients\Letters\*.*client\ Administrators all
\\SRV\D$\Clients\Letters\*.*client\ JPWQThomas o all

\\SRV\D$\Clients\Letters\*.*client\ SYSTEM all
\\SRV\D$\Clients\Letters\*.*client\ EMasreten all
\\SRV\D$\Clients\Letters\*.*client\ Users RWXD RWXD

How can I do it in a more effective way? Is there a tool (or a windows
script) that can help me performing this test?

Moreover, since I am not a SYS ADMIN of servers I have to audit, I
would like to have something that does not require to be installed
(i.e. portable applications or relying on DOS/NET commands).

Thank you for your help!


Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]