Script recommendation - Get-ACL recursively
Mike Leone
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...
Markus Klocker
In my opinion the first thing that pops into my mind:
Who is those personnel of interest and why only they?
I'd go mad if someone would access a share on a system I use that
might contain private data.
As a Sysadmin I'd go mad as well, cause I'm so sure that this will
violate law or at leas has pretty all potential to make a case.
Markus
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjesT3RcGZdtp%3D1OCb7RNWjr1K%2BFm3sGMytAZouUNsfHg%40mail.gmail.com.
Mike Leone
In my opinion the first thing that pops into my mind:
Who is those personnel of interest and why only they?
I'd go mad if someone would access a share on a system I use that might contain private data.
As a Sysadmin I'd go mad as well, cause I'm so sure that this will violate law or at leas has pretty all potential to make a case.
--Markus
Am 01/07/2020 um 20:34 schrieb Mike Leone:
My boss asked me "Can you list all possible network drives that specific personnel have including their individual accounts?". (yeah, I know).--
The best that I can come up with (outside of purchasing a commercial auditing program, which won't be happening) is to recursively walk down a shared folder structure on a file server; pull out the share and NTFS permissions; expand all the AD groups to get the list of users. Lather, rinse, repeat.
That would be because I can see in AD that user "Joe" is a member of "ShareA_RWXD". And I know where "ShareA" is. But the problem comes when "Joe" is explicitly added to the NTFS permissions of share as a user account, rather than just groups. So Joe's access is "ShareA" (easy enough gotten from Ad group membership), but also "ShareB", where he is listed explicitly, and where that sub-folder of a share doesn't inherit from above.
Far from ideal, but I have to do something, so I need to make a start. And I'd rather not invent all the wheels. Anyone know of a script that does at least something like this, that I can modify and start to get some info? I can do searches in the Gallery for Get-ACl, but if someone knows of one, that can save me time.
Thanks--
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjesT3RcGZdtp%3D1OCb7RNWjr1K%2BFm3sGMytAZouUNsfHg%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/6bc687ce-ee9c-22f2-d08a-658164183aa8%40univie.ac.at.
Michael B. Smith
You can shortcut a great deal of that effort by using Get-SmbShare which lists all the file shares on a computer and the DACL that applies to it.
You convert DACLs to readable strings using ConvertFrom-Sddl.
Get-SmbShare works on remote systems using CimSession, if you have remote management enabled. If not, you can use “net share” on downlevel computers.
--
Michael B. Smith
In Markus’ defense, EU laws are significantly more protective of the individual than are American laws.
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com>
On Behalf Of Mike Leone
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BiCkvcgUQ%3D%3D6Y0db-VYHENXngF9jw6gdTzAOWV2ChhMyQ%40mail.gmail.com.
Mike Leone
In Markus’ defense, EU laws are significantly more protective of the individual than are American laws.
Markus Klocker
Tru that.
My point is to be careful with collecting sensitive data.
If it is only what sources are connected... that I'd sign off
right away.
Even if you use get-smbconnection or something else it has to be
connected at the time you do this.
What about browser based services (or at least the possibility
mycloud, ownclud, webdav....)?
If there is data exfiltration going on I'd go look at where
traffic is directed to (maybe well known IPs or at least ones you
find "strange").
I see many loose ends here as well as the legal issues that I would at least take a look at (EU or US cause I'd don't know US law even a bit :)).
Markus
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/aa165f94b8764527a529254f8a3364cd%40smithcons.com.
Mike Leone
You can shortcut a great deal of that effort by using Get-SmbShare which lists all the file shares on a computer and the DACL that applies to it.
You convert DACLs to readable strings using ConvertFrom-Sddl.
Get-SmbShare works on remote systems using CimSession, if you have remote management enabled. If not, you can use “net share” on downlevel computers.
ConvertFrom-SddlString : Exception calling ".ctor" with "3" argument(s): "The SDDL form of a security descriptor
object is invalid.
Parameter name: sddlForm"
At line:1 char:76
+ ... Share" | Select -Property SecurityDescriptor | ConvertFrom-SddlString
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [ConvertFrom-SddlString], MethodInvocationException
+ FullyQualifiedErrorId : ArgumentException,ConvertFrom-SddlString
--
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Mike Leone
Sent: Wednesday, July 1, 2020 2:35 PM
To: NTSysAdmin <ntsys...@googlegroups.com>; NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: [ntpowershell] Script recommendation - Get-ACL recursively
My boss asked me "Can you list all possible network drives that specific personnel have including their individual accounts?". (yeah, I know).
The best that I can come up with (outside of purchasing a commercial auditing program, which won't be happening) is to recursively walk down a shared folder structure on a file server; pull out the share and NTFS permissions; expand all the AD groups to get the list of users. Lather, rinse, repeat.
That would be because I can see in AD that user "Joe" is a member of "ShareA_RWXD". And I know where "ShareA" is. But the problem comes when "Joe" is explicitly added to the NTFS permissions of share as a user account, rather than just groups. So Joe's access is "ShareA" (easy enough gotten from Ad group membership), but also "ShareB", where he is listed explicitly, and where that sub-folder of a share doesn't inherit from above.
Far from ideal, but I have to do something, so I need to make a start. And I'd rather not invent all the wheels. Anyone know of a script that does at least something like this, that I can modify and start to get some info? I can do searches in the Gallery for Get-ACl, but if someone knows of one, that can save me time.
Thanks
--
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjesT3RcGZdtp%3D1OCb7RNWjr1K%2BFm3sGMytAZouUNsfHg%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/4ec109ef5d614761b5b928f30ea2bed2%40smithcons.com.
Henry Awad
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bjn_b04320J%2BWbMZ65YbqbxJgg8Es8JNx8rDCu1R83q9w%40mail.gmail.com.
Henry Awad
Michael B. Smith
The doc is wrong, you can’t pipe to ConvertFrom-Sddl.
$a = get-smbshare -Name "TestMDT_Share"
ConvertFrom-SddlString -sddl $a.SecurityDescriptor
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Wednesday, July 1, 2020 3:38 PM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bjn_b04320J%2BWbMZ65YbqbxJgg8Es8JNx8rDCu1R83q9w%40mail.gmail.com.
Kurt Buff - GSEC, GCIH
--
Mike Leone
Try one of these tools:I have used Netwrix (paid version) in the past and they provide a very nice readable format report. I honestly haven't used the free version so not sure how different the report would be.
Mike Leone
The doc is wrong, you can’t pipe to ConvertFrom-Sddl.
$a = get-smbshare -Name "TestMDT_Share"
ConvertFrom-SddlString -sddl $a.SecurityDescriptor
PS C:\Windows\system32> ($SDDL | ConvertFrom-SddlString -Type FileSystemRights| Select-Object -ExpandProperty Discretion
aryAcl) -split ":"
Everyone
AccessAllowed (GenericWrite, ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, Traverse)
NT AUTHORITY\Authenticated Users
AccessAllowed (GenericWrite, ListDirectory, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, Traverse)
NT AUTHORITY\SYSTEM
AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
BUILTIN\Administrators
AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
<DOMAIN\UserA>
AccessAllowed (ChangePermissions, CreateDirectories, Delete, DeleteSubdirectoriesAndFiles, ExecuteKey, FullControl, FullControl, FullControl, FullControl, FullControl, GenericAll, GenericExecute, GenericRead, GenericWrite, ListDirectory, Modify, Read, ReadAndExecute, ReadAttributes, ReadExtendedAttributes, ReadPermissions, Synchronize, TakeOwnership, Traverse, Write, WriteAttributes, WriteData, WriteExtendedAttributes, WriteKey)
Michael B. Smith
If you don’t select only DiscretionaryAcl, you get all the other information that the cmdlet can output.
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
ControlFlags : DiscretionaryAclPresent, SelfRelative
DiscretionaryAcl : {NT AUTHORITY\INTERACTIVE: Allow (GenericAll), BUILTIN\Administrators: Allow (GenericAll),
BUILTIN\Backup Operators: Allow (GenericAll)}
SystemAcl : {}
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor
The list of FullControls means that there are ExtendedAttributes in the DACL that the ConvertFrom-Sddl cmdlet doesn’t know how to interpret. You can ignore it. If you want the exact detail, use icacls.exe. It properly displays all the extended attributes. But you can’t easily control the output format.
From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Thursday, July 2, 2020 12:01 PM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2Bi8DVwvosfDgFxHzHsq%3DeOWk3saZviuh9iOmeAn2A9YjA%40mail.gmail.com.
Dennis Pinckard
I'm going to give an answer that may get me kicked off of this group.
Purchase a commercial product.
Yes, you can write a script to do what you want, and I'd done similar ones in the past, but you always miss something and later find an edge case that wasn't covered. If this is a legal issue and important to the business, buy a supported commercial application where all of the leg work has been done. When you miss an entire directory where a user had permission as part of the legal discovery process, you do NOT want to be the one held responsible.
If this is just a side project for your own use, by all means use it as a learning exercise to improve your PowerShell skills. It can be a very educational project.
Some use cases you will need to consider:
ACLs with direct membership of User Object
ACLs with direct membership of Computer Object (Does the user's computer have access, which could allow the user to see it as well?)
Direct group membership of the user as well as nested group membership
Share and NTFS permissions
Permissions on files. It's not common, but certainly possible to grant perms on files.
Directory traversal weirdness. User has access to sub folders but not the parent. (Can make it hard to get to, but not always impossible)
Access granted by public groups (Domain Users, Everyone, Anonymous, ...)
Permissions that were in effect on date X, but have been modified since.
Hard links to a restricted folder/file (I hate it when that
one bites me!)
And then you get to the really weird stuff. Nobody can
predict it ahead of time, but trust me, that one user figured
out how to do something nobody expected.
--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BjesT3RcGZdtp%3D1OCb7RNWjr1K%2BFm3sGMytAZouUNsfHg%40mail.gmail.com.
Kurt Buff - GSEC, GCIH
that a commercial product wasn't an option? Not that I don't like
commercial products, just that in this case budget likely won't be
available.
Kurt
Michael B. Smith
What a great list!
No chance of you getting kicked off, and I appreciate your viewpoint.
I sometimes recommend a commercial product too. It all depends on what the OP asks for.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntpowershell/a92c570f-1cb0-303f-3f60-f56ffb8bf5fa%40doomsdaypig.com.