A really good question recently came up on the SANS GIAC advisory board. Basically, someone needed to audit the NTFS permissions on a set of files and directories (I will refer to them as objects). Easy, right? Oh, I forgot to mention that “Administrators” had no rights to these objects, and modifying (like taking ownership) the permissions for these objects was out of the question.
At first, I drew a blank. But, then it hit me that Backup Operator’s have a very special right which allows them to copy objects that they do not have rights to. So… I figured one could grant themselves that right and then copy objects using a tool like Robocopy to preserve the permissions to a folder that Administrators had rights to. For example:
robocopy /Z /E /B /SEC /COPYALL /R:1 /W:5
In theory, the objects should inherit the parent folder permissions thus granting the ability to audit the non-inherited permissions. Well, apparently, that didn’t work. So I did some searching around and found a utility called FILEACL. One of the features for this utility is: “Uses Backup and Restore Rights to view/change ACL/ownership on non accessible files/dir”. In other words, using this utility, you can audit permissions for objects that you do not have rights to.
To download this tool, use the following the Web site:
Link
Also for your pleasure, I wrote the following PSH script which will give you a custom report. Still need to clean it up a bit. But, you should be able to take it from there:
$StartingPoint = "C:\Audit" $RootItem = Get-Item $StartingPoint $ACLReportTemplate = New-Object psobject $ACLReportTemplate | Add-Member -MemberType NoteProperty -Name ObjectName -Value $null $ACLReportTemplate | Add-Member -MemberType NoteProperty -Name ACL -Value $null $objResult = @() # Build list of ACLs $ACLLIst = &'.\fileacl.exe' "$($StartingPoint)" /SUB /FILES /ADVANCED /OWNER /FORCE $ACLLIst | foreach { $objTemp = $ACLReportTemplate | Select-Object * $i = $_.Split(";") $objTemp.ObjectName = $i[0] $objTemp.ACL = $i[1] $objResult += $objTemp } $objResult
If you like this, check out some other posts from Tyson:
Or if you want, you can also check out some of Tyson's latest publications:
Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)
With more than ten years of experience in IT, Tyson Kopczynski has become a specialist in Active Directory, Information Assurance, Windows automation, PKI, and IT security practices. Tyson is also the founding author of the Windows PowerShell Unleashed series and has been a contributing author for such books as Microsoft Internet Security and Acceleration (ISA) Server 2006 Unleashed and Microsoft Windows Server 2008 Unleashed. He has also written many detailed technical papers and guides covering various technologies. As a consultant at Convergent Computing, Tyson works with and provides feedback for next generation Microsoft technologies since their inception and has also played a key role in expanding the automation and security practices at CCO. Tyson also holds such certifications as the Certified Information Systems Security Professional (CISSP), the SANS Security Essentials Certification (GSEC) and SANS Certified Incident Handler (GCIH), and the MCTS (Application Platform, Active Directory, and Network Infrastructure).
Certifications:
Publications:
Other Stuff:
The Leader in Network Knowledge
RE: Jury orders Microsoft to pay $388 million over anti-piracy
so what
How does one audit NTFS permissions without rights?
Great article!
Post new comment