Re: Bypassing NTFS ACL

["Capixaba" <capixaba () brturbo com br>]

Hi there Chris,

I don't know if this is what you're looking for...maybe this is not too 
difficult... :-)

If I got the point, your situation is the same as trying to access a private 
folder that's not yours...or not belong to your current user....if this is 
the case, Microsoft has a paper on it...the link is: 
http://support.microsoft.com/kb/810881/en-us

Anyway, I'll quote here Microsoft's solution for the problem...ahd below 
that, is another solution that is not the microsoft way... :-P

-----------
1. Turn off Simple File Sharing:
a. Click Start, and then click My Computer.
b. On the Tools menu, click Folder Options, and then click the View tab.
c. Under Advanced Settings, click to clear the Use simple file sharing 
(Recommended) check box, and then click OK.

2.Right-click the folder that you want to take ownership of, and then click 
Properties.
3.Click the Security tab, and then click OK on the Security message, if one 
appears
.4.Click Advanced, and then click the Owner tab.
5.In the Name list, click your user name, Administrator if you are logged in 
as Administrator, or click the Administrators group.

If you want to take ownership of the contents of that folder, click to 
select the Replace owner on subcontainers and objects check box.
6.Click OK.

You may receive the following error message, where Folder is the name of the 
folder that you want to take ownership of:
You do not have permission to read the contents of directory Folder. Do you 
want to replace the directory permissions with permissions granting you Full 
Control? All permissions will be replaced if you press Yes.
7.Click Yes.
8.Click OK, and then reapply the permissions and security settings that you 
want for the folder and the folder contents.
------------

Well, maybe this is not enough for you....maybe you want some way that is 
not that "polite"...if this is your case...here it go:

Part 1: Putting Windows security down:

Control Pannel / Administrative tools / Local Security Policies / Local 
Policies / "Users Rights" (or something like that...:-P )
Click on "Generate Security Auditing" -> Add User or Group / Advanced / Find 
Now / Select your current user / Ok / Apply / OK

Go into the service "Manage auditing and the security log" (once 
more....it's something like this...lol ) and do the same steps mentioned 
above...

Part 2: Changing the permissions

reboot

- go into the safe mode
- log on as Administrator (as this is for personal purposing only, and not 
meant to hack any users files, I'll assume that you are the local 
administrator of the machine...)
- Go to the "blocked" folder..
- Right click / properties / Security / Advanced / in the auditing 
section -> Add / Advanced / Select the Admin Account / OK / Apply / OK
- In the Owner section / Select the Admin account and mark the  Replace 
owner on subcontainers and objects / Apply / OK

DONE!!! Now you can access the folder...

Well, I hope this was enough... :-)

See yah, and sorry for the poor english!

Regards,

Everton
MCP

----- Original Message ----- 
From: <chris () compucounts com>
To: <pen-test () securityfocus com>
Sent: Friday, February 18, 2005 5:49 PM
Subject: Bypassing NTFS ACL


I've got domain admin access to a Windows 2003 server, and have
encountered a series of directories that are protected by custom ACLs
which do not include any group I am a member of and are not inheriting
the ACL of their parent directory.

I know there are plenty of simple solutions to this problem such as
joining the group, taking ownership of the directory, etc, however I'm
looking for a slightly more difficult solution that wouldn't be noticed.
I want to bypass the ACL.

I figured that if root can do it in UNIX, SYSTEM could do it in Windows,
but it looks like I'm wrong:
--
C:\> whoami
nt authority\system

C:\> cd somedir
Access is denied.
--

Is there any means of bypassing the ACL while the system is online
without rewriting it?

I'm going to reiterate: Yes there are plenty of other ways to do this,
but I want to be difficult :)  This could come in handy later on.

Thanks,

- Chris