Re: Script (s) to help with file security audit

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Al,

Thanks again for your feedback.

I was looking around and found a utility called DumpSec
(http://www.systemtools.com/somarsoft/index.html) that gives me the listing I
am looking for.

It has the ability to export the data to CSV file and I can run it from the
command line so it can be automated.

I'll need to parse out the path from the end folder/file name but I think I
can do this in Excel without too much trouble.

I am going to use this to dump the permission info on our data folders and
compare it to our AD users and groups. We have a small enough group of
computer users here that I know each user so I will be able to do a visual
check and manually lookup anything that seems odd.

Our setup is pretty streamlined in so far as we have standard groups that
are used for perms and we add/remove users as needed so there shouldn't be
very many spots where we've used individual accounts but that is one of the
things we are checking for.

Thanks for all of your help with this and sorry for the long route I took to
get to this point. It's the first time I've ever done anything like this so
I think I made the mistake of going to complex initially.

Nancy



"Al Dunbar" wrote:


"Wolfie" <Wolfie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AB0DBD5E-5BF0-4AA4-8D0C-907F6E373179@xxxxxxxxxxxxxxxx
Hi Al,

Thanks for your response!

you're welcome.

What we initially wanted to do was verify that all shares and folders are
using AD groups for permissions rather than user accounts. After we
talked
about it, we decided that we should check all permissions and verify they
are
correct.

I wondered about that. If your script know what is correct, would you then
just have it report discrepancies, or correct them?

There are a few folks managing files here and it starts to get messy after
a
while. 8-D

Understatement!

By specific location I meant I want to scan all files and folders on
specific hard drives. We can do this either locally on the server or
remotely (I'll connect to the admin share if needed).

You make an excellent point about the row limit in Excel, I didn't think
about that. We have several folders on this drive that we want to audit
the
permissions on, instead of doing the entire drive I could easily do the
check
on each folder and it's contents. I am confident we won't hit the limit
if
we do it this way.

Great. You could have a script create the output files based on the folder
being processed.

In retrospect, I don't think we need to check the individual files for
their
exact permissions. Could we check to see if they have the inherit option
selected?

Probably, but that is one aspect of the details that I have not come to
grips with. Having looked at output from my (very rudimentary) script, I
have come to the conclusion that there are a number of ACE combinations that
imply inheritance.

This would flag any for me where they have specific perms setup.
I know there won't be more than a few so I can check these manually.

I would like the output as follows (I am using commas to separate the
column
headers):
For Users/Groups:
Name,Type (User or Group),AD Location,Members (if groups)

The trouble arises from the fact that groups typically have multiple
members, and any cell containing enough content to require line-wrapping
will be very hard to read. If you do this, I'd suggest using the
sAMAccountName instead of the DN.

Alternately, a separate row for each member... but then you risk bumping
into the rown length limitation again...

For Files/Folders:
Object Type (File/Folder),Full Path,Name,Are perms inherited?,Who has
access?,What access do they have?

who has access and what access do they have: I don't see how you could
possibly put this all on one line while at the same time making it possible
to read. So then you'd have separate row for each ACE. Keep in mind that if
one trustee has multiple permissions, he will need multiple rows. For
example, someone could inherit read-only, be granted read/write, and be
denied delete.

The other question is: will the "who" column contain the direct trustees
having an explicit ACE? Or will you expand groups to include their members?
And, if so, will you expand groups recursively?

And if you do all that, and produce a complete list of all individual
accounts having different types of access, good luck determining if there
are any improper permissions. That would only be possible if the person
reviewing the info actually knew all of the users.

I looked at the info on ADsSecurity.DLL and to be honest, I'm even more
confused.

That stuff is extremely detailed, but, imho, that is how security actually
works.

I took a look at CACLS (never used it before) and I think it will work. I
can figure out how to parse it, despite how I'm feeling at the moment I'm
really not that dense! One thing I can't figure out from what I found is
how
do you tell CACLS to return the perms on all files and folders within a
given
spot? I know that *.* will do the contents of where you are but how do
you
tell it to run recursively?

/T switch.

Now for the AD User/Group information, do you have any tips on that?

I thought that was what you asked above.

If you have an extremely convoluted and badly organized set of shared folder
permissions, no amount of analysis will make sense of it, as it becomes way
too complex. If you have a well-defined approach, you won't need to audit
it, as it would be easier to simply re-apply the required permissions.

By well-defined, I mean the following:

- logical user/group structure based on department, job title, and etc.
- use only basic permissions: read-only and read/write. reserve full for
admins only, and avoid deny altogether.
- for each type of permission required on a given folder, permit it to a
separate and single-purpose group.
- create the "resource permission groups" when the folder is created, permit
them at that time, and never change the permissions afterwards.
- No group should be permitted to more than one resource.

Once things are configured this way, you "permit" groups or individuals by
adding them to the groups having the permissions they require, and de-permit
by removing them.


/Al

I really appreciate your feedback on this one.

Nancy

"Al Dunbar" wrote:


"Nancy R" <NancyR@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6155AD61-4B27-4B41-A454-56E5575C8C37@xxxxxxxxxxxxxxxx
Hi folks,

I think this is the right newsgroup, if not I apologize upfront.

You could have cross-posted to microsoft.public.windows.server.security,
but
here is OK if you want a scripted solution. Depending on the expertise
available to you, you might also consider
microsoft.public.windows.powershell.

I need to do a few things as part of our file security audit (we will
be
doing this regularly going forward so I am hoping to automate at least
part
of it).

This is what I need to do:
1 - Get a list of all files and folders in a specific location (I can
access
remotely or locally so whichever is the easiest way).

"Specific location" meaning "folder" (with or without recursion),
"share",
or "file server"?

Ideally I would like
to return the path and file name as separate items rather than one long
string.

That would be the simple part.

2 - Get a list of all local and domain users and groups which have
access
to
each file and folder along with the level of access each has.

a bit trickier

3 - Flag any objects where the permissions are different from it's
parent
object.

file object permissions will never be identical to those of the parent,
as
nothing can inherit permissions from a file.

4 - Get a list of all domain users along with their AD location.
5 - Get a list of all domain groups including group membership and AD
location.

those last two might more likely belong in separate scripts.


I would also like to be able to have the information returned in some
kind
of delimited format so we can work with the data in Excel.

Excel can only show 65535 rows, whereas what you are looking for could
possibly push that limit, depending on your parameters.

I realize that they can't all be combined but I am hoping it will be
possible to do the first three items together then do the last two
together.

good call. see my comment above.

I have looked around and found what appears to be a million different
ways
to do this and I am not sure where to start.

Where to start is to determine:

- what you want to see in the output of the script;
- how you want the info to be represented; and:
- scope and size: just the objects in one folder, or all nested
objects.

I do have some limited experience with scripting and have already
scripted
some of our more time consuming tasks but I feel like I'm going
cross-eyed
when I look at the examples that are available.

That's nothing! If you were able to produce a report of exactly what you
have described you could be looking at so much detailed information your
cross-eyed condition would only worsen.

Can some provide some tips on where I can start looking for information
or
perhaps even some script examples?

I wrote a vbscript that kind of does as you suggest. It uses
ADsSecurity.DLL
(for some info on using this, see
http://www.tek-tips.com/viewthread.cfm?qid=80789&page=396) to extract
detailed Access Control Entries. At this level things are MUCH more
detailed
than you might think, even when compared with what you see on the
advanced
security tab. In fact, the detail can be quite different from one folder
to
the next even though the effective permissions and inheritance may seem
the
same on both.

I have done similar using the output from CACLS.EXE, which at least
displays
somewhat more meaningful descriptors of the kinds of access being given,
using words instead of bit fields. To put this into a spread***, you
would
need to pars the somewhat arcane style of output.

You might get farther by considering powershell...

But all that said, you need to consider what your purpose is in doing
this
audit. Are you looking for violations of access where individuals have
access to what they should not have? Or where those that should have
access
do not? Or where permissions are given to individuals rather than groups?
Or
where unauthorized permission changes have been made? Or do you just need
a
list of the individuals that have certain levels of access whether
directly
or through group membership?

In my opinion if you simply dump a full and complete representation of
the
permissions structure, you will be dealing with so much detail that you
will
be hard put to address any one of those possible requirements.

/Al






.

Quantcast