How does one audit NTFS permissions without rights?

Analysis
Aug 9, 20098 mins

Yes, you can use FILEACL to audit permissions when you do not have rights to files and folder.

A really good question recently came up on the SANS GIAC advisory board. Basically, someone needed to audit the NTFS permissions on a set of files and directories (I will refer to them as objects). Easy, right? Oh, I forgot to mention that “Administrators” had no rights to these objects, and modifying (like taking ownership) the permissions for these objects was out of the question.

At first, I drew a blank. But, then it hit me that Backup Operator’s have a very special right which allows them to copy objects that they do not have rights to. So… I figured one could grant themselves that right and then copy objects using a tool like Robocopy to preserve the permissions to a folder that Administrators had rights to. For example:

robocopy /Z /E /B /SEC /COPYALL /R:1 /W:5

In theory, the objects should inherit the parent folder permissions thus granting the ability to audit the non-inherited permissions. Well, apparently, that didn’t work. So I did some searching around and found a utility called FILEACL. One of the features for this utility is: “Uses Backup and Restore Rights to view/change ACL/ownership on non accessible files/dir”. In other words, using this utility, you can audit permissions for objects that you do not have rights to.

To download this tool, use the following the Web site: Link

Also for your pleasure, I wrote the following PSH script which will give you a custom report. Still need to clean it up a bit. But, you should be able to take it from there:

$StartingPoint = "C:Audit"
$RootItem = Get-Item $StartingPoint

$ACLReportTemplate = New-Object psobject
$ACLReportTemplate | Add-Member -MemberType NoteProperty -Name ObjectName -Value $null
$ACLReportTemplate | Add-Member -MemberType NoteProperty -Name ACL -Value $null

$objResult = @()

# Build list of ACLs
$ACLLIst = &'.fileacl.exe' "$($StartingPoint)" /SUB /FILES /ADVANCED /OWNER /FORCE

$ACLLIst | foreach {
        $objTemp = $ACLReportTemplate | Select-Object *
        
        $i = $_.Split(";")
        
        $objTemp.ObjectName = $i[0]
        $objTemp.ACL = $i[1]
        
        $objResult += $objTemp
        }

$objResult

If you like this, check out some other posts from Tyson:

Or if you want, you can also check out some of Tyson’s latest publications:

Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)