Re: Script (s) to help with file security audit

Hi Al,

Thanks for your response!

What we initially wanted to do was verify that all shares and folders are
using AD groups for permissions rather than user accounts. After we talked
about it, we decided that we should check all permissions and verify they are
correct.

There are a few folks managing files here and it starts to get messy after a
while. 8-D

By specific location I meant I want to scan all files and folders on
specific hard drives. We can do this either locally on the server or
remotely (I'll connect to the admin share if needed).

You make an excellent point about the row limit in Excel, I didn't think
about that. We have several folders on this drive that we want to audit the
permissions on, instead of doing the entire drive I could easily do the check
on each folder and it's contents. I am confident we won't hit the limit if
we do it this way.

In retrospect, I don't think we need to check the individual files for their
exact permissions. Could we check to see if they have the inherit option
selected? This would flag any for me where they have specific perms setup.
I know there won't be more than a few so I can check these manually.

I would like the output as follows (I am using commas to separate the column
headers):
For Users/Groups:
Name,Type (User or Group),AD Location,Members (if groups)

For Files/Folders:
Object Type (File/Folder),Full Path,Name,Are perms inherited?,Who has
access?,What access do they have?

I looked at the info on ADsSecurity.DLL and to be honest, I'm even more
confused.

I took a look at CACLS (never used it before) and I think it will work. I
can figure out how to parse it, despite how I'm feeling at the moment I'm
really not that dense! One thing I can't figure out from what I found is how
do you tell CACLS to return the perms on all files and folders within a given
spot? I know that *.* will do the contents of where you are but how do you
tell it to run recursively?

Now for the AD User/Group information, do you have any tips on that?

I really appreciate your feedback on this one.

Nancy

"Al Dunbar" wrote:


"Nancy R" <NancyR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6155AD61-4B27-4B41-A454-56E5575C8C37@xxxxxxxxxxxxxxxx
Hi folks,

I think this is the right newsgroup, if not I apologize upfront.

You could have cross-posted to microsoft.public.windows.server.security, but
here is OK if you want a scripted solution. Depending on the expertise
available to you, you might also consider
microsoft.public.windows.powershell.

I need to do a few things as part of our file security audit (we will be
doing this regularly going forward so I am hoping to automate at least
part
of it).

This is what I need to do:
1 - Get a list of all files and folders in a specific location (I can
access
remotely or locally so whichever is the easiest way).

"Specific location" meaning "folder" (with or without recursion), "share",
or "file server"?

Ideally I would like
to return the path and file name as separate items rather than one long
string.

That would be the simple part.

2 - Get a list of all local and domain users and groups which have access
to
each file and folder along with the level of access each has.

a bit trickier

3 - Flag any objects where the permissions are different from it's parent
object.

file object permissions will never be identical to those of the parent, as
nothing can inherit permissions from a file.

4 - Get a list of all domain users along with their AD location.
5 - Get a list of all domain groups including group membership and AD
location.

those last two might more likely belong in separate scripts.


I would also like to be able to have the information returned in some kind
of delimited format so we can work with the data in Excel.

Excel can only show 65535 rows, whereas what you are looking for could
possibly push that limit, depending on your parameters.

I realize that they can't all be combined but I am hoping it will be
possible to do the first three items together then do the last two
together.

good call. see my comment above.

I have looked around and found what appears to be a million different ways
to do this and I am not sure where to start.

Where to start is to determine:

- what you want to see in the output of the script;
- how you want the info to be represented; and:
- scope and size: just the objects in one folder, or all nested objects.

I do have some limited experience with scripting and have already scripted
some of our more time consuming tasks but I feel like I'm going cross-eyed
when I look at the examples that are available.

That's nothing! If you were able to produce a report of exactly what you
have described you could be looking at so much detailed information your
cross-eyed condition would only worsen.

Can some provide some tips on where I can start looking for information or
perhaps even some script examples?

I wrote a vbscript that kind of does as you suggest. It uses ADsSecurity.DLL
(for some info on using this, see
http://www.tek-tips.com/viewthread.cfm?qid=80789&page=396) to extract
detailed Access Control Entries. At this level things are MUCH more detailed
than you might think, even when compared with what you see on the advanced
security tab. In fact, the detail can be quite different from one folder to
the next even though the effective permissions and inheritance may seem the
same on both.

I have done similar using the output from CACLS.EXE, which at least displays
somewhat more meaningful descriptors of the kinds of access being given,
using words instead of bit fields. To put this into a spread***, you would
need to pars the somewhat arcane style of output.

You might get farther by considering powershell...

But all that said, you need to consider what your purpose is in doing this
audit. Are you looking for violations of access where individuals have
access to what they should not have? Or where those that should have access
do not? Or where permissions are given to individuals rather than groups? Or
where unauthorized permission changes have been made? Or do you just need a
list of the individuals that have certain levels of access whether directly
or through group membership?

In my opinion if you simply dump a full and complete representation of the
permissions structure, you will be dealing with so much detail that you will
be hard put to address any one of those possible requirements.

/Al



.

Loading