Home page logo
/

basics logo Security Basics mailing list archives

Re: Access Management on file shares and client-server apps
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Mon, 14 Nov 2011 23:55:29 +0100

On 2011-11-14 krymson () gmail com wrote:
Including "desktop client-server applications" may confuse the issue
quite a bit. I'll read this as: You want to find a way to audit and
maybe track changes to permissions settings on Microsoft folders.
(I'll ignore share permissions, since share permissions should just be
open and NTFS is where you should be explicit; but that itself is an
arguable viewpoint...)

It's been years since I used it, but I always liked ScriptLogic's
Enterprise Security Reporter. It should be able to scan a folder
location, interrogate the NTFS permissions, and generate a nice report
that tells you all the effective permissions. I can't comment on how
it tracks changes.

If you're good about managing NTFS permissions properly by never
assigning explicit AD *user accounts* permissions to folders and
instead only assigning AD *groups* (that users are members of) to
folders, you could get away with just interrogating AD groups and
memberships. At that point you'll be looking at Active Directory
change management/audit tools that tell you when new groups are made
and when those groups are modified with new or removed users (or track
user changes similarly).

Monitoring changes to AD groups is not sufficient if the task is to
track changes to permissions on files or folder. Even if you properly
handle access through group memberships, there's still the possibility
that permissions for some group were added to or revoked from a file or
folder.

If you want to track changes to permissions, SACLs are the way to go
(see e.g. [1]). If you want to analyze the current permissions, there is
a variety of tools you can use, like ntfsacls [2], DumpSec [3], or my
own script AuditACLs.vbs [4] (if you'll forgive the shameless plug).

[1] http://www.windowsitpro.com/article/permissions/auditing-permission-changes-on-a-folder
[2] http://www.coopware.in2.info/_ntfsacl.htm
[3] http://www.systemtools.com/somarsoft/
[4] http://www.planetcobalt.net/sdb/auditacls.shtml

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]