BigFix Relevence for Windows Shares

bal290303 · May 22, 2019, 8:46am

Okay everyone, where would you even begin with this one? I need BigFix to do the following, if possible.

Detect the creation of a new Windows share (Windows Event Log)
Determine if new Windows share is unrestricted (Everyone, built-in users, All authenticated users, All domain users, etc (see attached remediation doc))
If share is restricted, do nothing
if share is unrestricted, send the information to a downstream system for analytics/triage (Windows ServerDB)
If BigFix technology is viable, then prove that solution scales for all Windows servers.

any help or feedback appreciated

AramE · May 22, 2019, 2:05pm

This should be feasible with BigFix, yes. But a question: does this need to be done specifically for new shares, or is it sufficient to have visibility across all “unrestricted” shares?

bal290303 · May 23, 2019, 10:28am

Hi Aram,

All shares are fine mate

the two relevance queries I have at the moment are

Q: names of network shares
A: ADMIN$
A: C$
A: IPC$
A: Log$
A: SMSLog$

and…

<Q - permission permissions of network shares>
<A - False

I need to join these two queries together so the information reads better than it does,

do you have any suggestions? would you do it differently?

brolly33 · May 23, 2019, 5:11pm

Good start, Bal290303,

you can use an “it clause” with a “tuple” to join together properties of an object in relevance

q: (name of it, permission permissions of it) of network shares
A: IPC$, False
A: Users, False

If you want to stay “easy” with the permissions, there are other permissions that are easy to query as documented here: https://developer.bigfix.com/relevance/reference/network-share.html

If you want to get “down and dirty” into the permissions, you might start with the ACL, like this:

q: (name of it, security descriptors of it) of network shares
A: Users, O:BAG:SYD:(A;OICI;FA;;;BA)
I: plural ( string, security descriptor )


q:  (name of it, dacls of security descriptors of it) of network shares
A: Users, D:(A;OICI;FA;;;BA)
I: plural ( string, discretionary access control list )

q:  (name of it, (grant types of it, trustees of it, enumerate subkeys permissions of it) of  entries of dacls of security descriptors of it) of network shares
A: Users, ( True, BUILTIN\Administrators, True )
I: plural ( string, ( boolean, security identifier, boolean ) )

q:  (name of it, (grant types of it, trustees of it, generic all permission of it, enumerate subkeys permissions of it) of  entries of dacls of security descriptors of it) of network shares
A: Users, ( True, BUILTIN\Administrators, True, True )
I: plural ( string, ( boolean, security identifier, boolean, boolean ) )

There are dozens more permissions documented here: https://developer.bigfix.com/relevance/reference/access-control-entry.html

bal290303 · May 24, 2019, 8:37am

Thanks Brolly,

works a treat…what relivance is best for showing if a share is restricted or not? that is all I need to do really…

I only need to pull out unrestricted shares…everything else can be ignored and doesn’t need displayed…try and cut down the numbers if possible.

brolly33 · May 28, 2019, 12:38pm

Hey there Bal290303,

What is an “unrestricted share” for your use case?

If I guess that you mean shares where the Everyone Account is granted some permissions then perhaps:

q: (name of it, path of it) of network shares whose (exists entry whose (trustee of it as string = "Everyone" and Grant Type of it) of dacl of security descriptor of it)
A: Temp, C:\Temp