(imported topic written by SystemAdmin)
Hi,
I would like to check with you guys how to create an analysis to check a certain directory for rights and permissions. For example, I have this folder in root of C:\ drive called DIR1 and user group GROUP1. I wanted to check if GROUP1 is listed in the security group of DIR1 folder and should have FULL CONTROLL as well.
C:\DIR1 exist and GROUP1 has rights and has full controll permission over DIR1 else Audit Fails
Thanks & Best Regards.
(imported comment written by brolly3391)
Hello rvnava,
This particular request is exciting for me because I have not really played much with the security inspectors yet.
I started working with the system folder because it has an interesting ACL.
q: security descriptor of system folder
A: D:PAI(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(A;;0x1301bf;;;PU)(A;OICIIO;SDGXGWGR;;;PU)(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;CO)
q: (trustee of it, generic all permission of it) of entries of DACL of security descriptor of system folder
A: BUILTIN\Users, False
A: BUILTIN\Users, False
A: BUILTIN\Power Users, False
A: BUILTIN\Power Users, False
A: BUILTIN\Administrators, False
A: BUILTIN\Administrators, True
A: NT AUTHORITY\SYSTEM, False
A: NT AUTHORITY\SYSTEM, True
A: BUILTIN\Administrators, False
A: \CREATOR OWNER, True
q: exists entries whose (trustee of it as string as lowercase contains “administrators” and generic all permission of it) of DACL of security descriptor of system folder
A: True
Your version might look like this:
q: exists entries whose (trustee of it as string as lowercase contains “group1” and generic all permission of it) of DACL of security descriptor of folder “c:\DIR1”
A: True
Note: I am not a member of a domain so this might work differently for a domain attached machine. But the concept is there.
Cheers,
Brolly