Enumerate Network Share Permissions Script
-
03 Agustus 2012 12:26I have been looking around and haven’t seen any that does this. Could anyone share a script that will enumerate the share permissions & NTFS permissions of a target host or path? For example, I want to audit the permissions for \\ABC123\ShareName and all subdirectories. Is this possible through scripting? I’m also willing to try a different solution.
J. Swann – Information Security Engineer
- Diedit oleh J. Swann 03 Agustus 2012 12:26
Semua Balasan
-
03 Agustus 2012 12:39
I have a script in the Repository that will enumerate share permissions:
http://gallery.technet.microsoft.com/scriptcenter/List-Share-Permissions-83f8c419
That gets you half-way there.
Grant Ward, a.k.a. Bigteddy
-
03 Agustus 2012 12:41Thanks Ted, actually I already downloaded and am using your script. It works well. Any plans to expand and support UNC paths?
J. Swann – Information Security Engineer
-
03 Agustus 2012 12:53
Just use the normal file utilites. A UNC path is no differet from a file or folder. The sahre jsut has its own set of permisisons that limit access overall. The permssions are the most restrictive of union of the sets.
Get-Acl \\server\share
gets the folder permisions for the underlying folder.
Get-Acl \\server\share\*
gets the permssions of the contents ot the folder.
There is no way that I know of to get effective permisions on a share. In a domain it is normal to fall back to file system permisisons and to set the share to Everyone:Full. Just be sure the root folder is well protected. It may be better to only define shares for specific groups and limit access completely at the share. This is harder to manage but definitely safer.
¯\_(ツ)_/¯
-
03 Agustus 2012 13:10Ahh... The Get-Acl command would be perfect if it had a way of outputting a recursive permissions listing of a share.
J. Swann – Information Security Engineer
-
03 Agustus 2012 13:14What do you mean by a recursive permissions listing?
Grant Ward, a.k.a. Bigteddy
-
03 Agustus 2012 14:30The permissions for each folder & sub-folder, etc. When I do Get-Acl \\server\share\* it only shows me the permissions for that folder not sub-folders or the sub-folder of the sub-folders, etc.
J. Swann – Information Security Engineer
-
03 Agustus 2012 14:47
Try this, it is ugly, but I think it is what you are asking for.
ls '\\server\share\' -recurse | get-acl
Chris
- Disarankan sebagai Jawaban oleh ChrisLynch1076 03 Agustus 2012 16:14
- Saran Jawaban dibatalkan oleh ChrisLynch1076 07 Agustus 2012 13:01
-
06 Agustus 2012 19:34
Just checking in to see if that worked out for you?
Let me know if you still have questions,
Chris
-
07 Agustus 2012 12:05That's closer! I only want to know the permissions of the folders not the files. Also it seems this only displays the owner.
J. Swann – Information Security Engineer
-
07 Agustus 2012 12:49
-
07 Agustus 2012 13:01
Get-ChildItem '\\server\share' -Recurse | where-object{$_.psiscontainer} | get-acl | fl
All of the information was there you just have to display it. In order to get your ideal output it will need a little more work but this will list all of the groups that have access.
- Disarankan sebagai Jawaban oleh ChrisLynch1076 07 Agustus 2012 13:01
- Ditandai sebagai Jawaban oleh J. Swann 07 Agustus 2012 13:23
-
07 Agustus 2012 13:29
Thanks man, this is it.
J. Swann – Information Security Engineer
- Diedit oleh J. Swann 07 Agustus 2012 13:38
-
07 Agustus 2012 14:02
I know you edited that last part out of your reply but I can help you there as well. To get a list of the shares on a server you can run this:
Get-WmiObject win32_share | select name
-
07 Agustus 2012 14:03
$shareaccess=gwmi win32_share -filter 'type=0'|
%{
Get-ChildItem "\\$($env:computername)\$($_.Name)" -Recurse |
where-object{$_.psiscontainer} |
get-acl
}$shareaccess | fl
Be careful as it can take a very long time to list all of that information on a large server.
¯\_(ツ)_/¯
.png)
