Vista - Script (s) to help with file security audit

Hi folks,

I think this is the right newsgroup, if not I apologize upfront.

I need to do a few things as part of our file security audit (we will be
doing this regularly going forward so I am hoping to automate at least part
of it).

This is what I need to do:
1 - Get a list of all files and folders in a specific location (I can access
remotely or locally so whichever is the easiest way). Ideally I would like
to return the path and file name as separate items rather than one long
string.
2 - Get a list of all local and domain users and groups which have access to
each file and folder along with the level of access each has.
3 - Flag any objects where the permissions are different from it's parent
object.
4 - Get a list of all domain users along with their AD location.
5 - Get a list of all domain groups including group membership and AD
location.

I would also like to be able to have the information returned in some kind
of delimited format so we can work with the data in Excel.

I realize that they can't all be combined but I am hoping it will be
possible to do the first three items together then do the last two together.

I have looked around and found what appears to be a million different ways
to do this and I am not sure where to start.

I do have some limited experience with scripting and have already scripted
some of our more time consuming tasks but I feel like I'm going cross-eyed
when I look at the examples that are available.

Can some provide some tips on where I can start looking for information or
perhaps even some script examples?

Thanks,
Nancy

"Nancy R" <NancyR@xxxxxx> wrote in message
news:6155AD61-4B27-4B41-A454-56E5575C8C37@xxxxxxYou could have cross-posted to microsoft.public.windows.server.security, but
here is OK if you want a scripted solution. Depending on the expertise
available to you, you might also consider
microsoft.public.windows.powershell.
"Specific location" meaning "folder" (with or without recursion), "share",
or "file server"?
That would be the simple part.
a bit trickier
file object permissions will never be identical to those of the parent, as
nothing can inherit permissions from a file.
those last two might more likely belong in separate scripts.
Excel can only show 65535 rows, whereas what you are looking for could
possibly push that limit, depending on your parameters.
good call. see my comment above.
Where to start is to determine:

- what you want to see in the output of the script;
- how you want the info to be represented; and:
- scope and size: just the objects in one folder, or all nested objects.
That's nothing! If you were able to produce a report of exactly what you
have described you could be looking at so much detailed information your
cross-eyed condition would only worsen.
I wrote a vbscript that kind of does as you suggest. It uses ADsSecurity.DLL
(for some info on using this, see
http://www.tek-tips.com/viewthread.c...80789&page=396) to extract
detailed Access Control Entries. At this level things are MUCH more detailed
than you might think, even when compared with what you see on the advanced
security tab. In fact, the detail can be quite different from one folder to
the next even though the effective permissions and inheritance may seem the
same on both.

I have done similar using the output from CACLS.EXE, which at least displays
somewhat more meaningful descriptors of the kinds of access being given,
using words instead of bit fields. To put this into a spreadsheet, you would
need to pars the somewhat arcane style of output.

You might get farther by considering powershell...

But all that said, you need to consider what your purpose is in doing this
audit. Are you looking for violations of access where individuals have
access to what they should not have? Or where those that should have access
do not? Or where permissions are given to individuals rather than groups? Or
where unauthorized permission changes have been made? Or do you just need a
list of the individuals that have certain levels of access whether directly
or through group membership?

In my opinion if you simply dump a full and complete representation of the
permissions structure, you will be dealing with so much detail that you will
be hard put to address any one of those possible requirements.

/Al

Hi Al,

Thanks for your response!

What we initially wanted to do was verify that all shares and folders are
using AD groups for permissions rather than user accounts. After we talked
about it, we decided that we should check all permissions and verify they are
correct.

There are a few folks managing files here and it starts to get messy after a
while. 8-D

By specific location I meant I want to scan all files and folders on
specific hard drives. We can do this either locally on the server or
remotely (I'll connect to the admin share if needed).

You make an excellent point about the row limit in Excel, I didn't think
about that. We have several folders on this drive that we want to audit the
permissions on, instead of doing the entire drive I could easily do the check
on each folder and it's contents. I am confident we won't hit the limit if
we do it this way.

In retrospect, I don't think we need to check the individual files for their
exact permissions. Could we check to see if they have the inherit option
selected? This would flag any for me where they have specific perms setup.
I know there won't be more than a few so I can check these manually.

I would like the output as follows (I am using commas to separate the column
headers):
For Users/Groups:
Name,Type (User or Group),AD Location,Members (if groups)

For Files/Folders:
Object Type (File/Folder),Full Path,Name,Are perms inherited?,Who has
access?,What access do they have?

I looked at the info on ADsSecurity.DLL and to be honest, I'm even more
confused.

I took a look at CACLS (never used it before) and I think it will work. I
can figure out how to parse it, despite how I'm feeling at the moment I'm
really not that dense! One thing I can't figure out from what I found is how
do you tell CACLS to return the perms on all files and folders within a given
spot? I know that *.* will do the contents of where you are but how do you
tell it to run recursively?

Now for the AD User/Group information, do you have any tips on that?

I really appreciate your feedback on this one.

Nancy

"Al Dunbar" wrote:

"Wolfie" <Wolfie@xxxxxx> wrote in message
news:AB0DBD5E-5BF0-4AA4-8D0C-907F6E373179@xxxxxxyou're welcome.
I wondered about that. If your script know what is correct, would you then
just have it report discrepancies, or correct them?
Understatement!
Great. You could have a script create the output files based on the folder
being processed.
Probably, but that is one aspect of the details that I have not come to
grips with. Having looked at output from my (very rudimentary) script, I
have come to the conclusion that there are a number of ACE combinations that
imply inheritance.
The trouble arises from the fact that groups typically have multiple
members, and any cell containing enough content to require line-wrapping
will be very hard to read. If you do this, I'd suggest using the
sAMAccountName instead of the DN.

Alternately, a separate row for each member... but then you risk bumping
into the rown length limitation again...
who has access and what access do they have: I don't see how you could
possibly put this all on one line while at the same time making it possible
to read. So then you'd have separate row for each ACE. Keep in mind that if
one trustee has multiple permissions, he will need multiple rows. For
example, someone could inherit read-only, be granted read/write, and be
denied delete.

The other question is: will the "who" column contain the direct trustees
having an explicit ACE? Or will you expand groups to include their members?
And, if so, will you expand groups recursively?

And if you do all that, and produce a complete list of all individual
accounts having different types of access, good luck determining if there
are any improper permissions. That would only be possible if the person
reviewing the info actually knew all of the users.
That stuff is extremely detailed, but, imho, that is how security actually
works.
/T switch.
I thought that was what you asked above.

If you have an extremely convoluted and badly organized set of shared folder
permissions, no amount of analysis will make sense of it, as it becomes way
too complex. If you have a well-defined approach, you won't need to audit
it, as it would be easier to simply re-apply the required permissions.

By well-defined, I mean the following:

- logical user/group structure based on department, job title, and etc.
- use only basic permissions: read-only and read/write. reserve full for
admins only, and avoid deny altogether.
- for each type of permission required on a given folder, permit it to a
separate and single-purpose group.
- create the "resource permission groups" when the folder is created, permit
them at that time, and never change the permissions afterwards.
- No group should be permitted to more than one resource.

Once things are configured this way, you "permit" groups or individuals by
adding them to the groups having the permissions they require, and de-permit
by removing them.


/Al