Home page logo

basics logo Security Basics mailing list archives

Re: Access Management on file shares and client-server apps
From: krymson () gmail com
Date: Tue, 22 Nov 2011 21:51:14 GMT

Yes, you're absolutely right. I hadn't meant to say, specifically, that you don't have to back up your practices with 
actual ACL scanning. I was entirely relying on the idea that you only do it by groups/AD manipulation and nothing else.

And yet, even then you want to verify...!

:) Thanks for fixing that for me, Ansgar!

<- snip ->

On 2011-11-14 krymson (at) gmail (dot) com [email concealed] wrote:
Including "desktop client-server applications" may confuse the issue
quite a bit. I'll read this as: You want to find a way to audit and
maybe track changes to permissions settings on Microsoft folders.
(I'll ignore share permissions, since share permissions should just be
open and NTFS is where you should be explicit; but that itself is an
arguable viewpoint...)

It's been years since I used it, but I always liked ScriptLogic's
Enterprise Security Reporter. It should be able to scan a folder
location, interrogate the NTFS permissions, and generate a nice report
that tells you all the effective permissions. I can't comment on how
it tracks changes.

If you're good about managing NTFS permissions properly by never
assigning explicit AD *user accounts* permissions to folders and
instead only assigning AD *groups* (that users are members of) to
folders, you could get away with just interrogating AD groups and
memberships. At that point you'll be looking at Active Directory
change management/audit tools that tell you when new groups are made
and when those groups are modified with new or removed users (or track
user changes similarly).

Monitoring changes to AD groups is not sufficient if the task is to
track changes to permissions on files or folder. Even if you properly
handle access through group memberships, there's still the possibility
that permissions for some group were added to or revoked from a file or

If you want to track changes to permissions, SACLs are the way to go
(see e.g. [1]). If you want to analyze the current permissions, there is
a variety of tools you can use, like ntfsacls [2], DumpSec [3], or my
own script AuditACLs.vbs [4] (if you'll forgive the shameless plug).

[1] http://www.windowsitpro.com/article/permissions/auditing-permission-chan
[2] http://www.coopware.in2.info/_ntfsacl.htm
[3] http://www.systemtools.com/somarsoft/
[4] http://www.planetcobalt.net/sdb/auditacls.shtml

Ansgar Wiechers

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]