File Level ACL's / DACL's

Content Authoring
1

(imported topic written by Robert_Whelan91)

Hello Everyone,

I have a problem with several hundred machines and need to correct some file permissions. I’ve figured out a good way to correct the problem with xcacls and the task works correctly. Now I need to narrow down the relevance to the machines with the specific problem.

I think the inspectors will work I just can’t get the syntax correct.

The condition is “Users” do not have read and execute permission to a file located like this:

%ALLUSERSPROFILE%\AppData\MyDir\MyFile.tmp

Apparently a bug caused the inherit flag to get flipped off on this file and removed the users default permssions. The idea is to identify the condition and flip the flag back on via xcacls. What I’m trying to do is find the best way to do this. No hard coded paths, work on all versions of Windows etc…

Any hints or pointers? I’ve read through “A Guide to the BigFix Windows Inspectors” but the bell hasn’t rung yet. :slight_smile:

Thanks

Robert

2

(imported comment written by BenKus)

Hi Robert,

What about something like this:

(not effective read permission for “Users” of it OR not effective execute permission for “Users” of it ) of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\AppData\MyDir\MyFile.tmp”)

I think this will do what you want…

Important Note

: By adding this property, you will cause your agents to look up the “Users” group to figure out the permissions issues. This behavior is controlled by the operating system and it might mean that the agents will query Active Directory user information. This likely won’t be an issue, but I suggest that you check with your AD administrators before activating a property like this globally in your environment. The effect will be the same as if each computer simultaneously right-click on the file > properties > permissions > effective permissions.

Ben

3

(imported comment written by Robert_Whelan91)

Hello Ben,

That worked out perfectly. One other question related to your note/caveat:

When the relevance clause is read as “all” (And). I assume that the first false condition stop’s the further proccessing? Meaning we exclude the most machines with our first clause and then we finally check the permission on a very small subset of clients.

Thanks for the help with the statement.

Robert

4

(imported comment written by jessewk)

Yes. The relevance engine has short circuit evaluation built in, so after the first FALSE or ERROR in an AND clause it will stop processing. Same is true for the first TRUE or ERROR in an OR clause.

Jesse

5

(imported comment written by chenbr91)

Just to add to Ben’s warning…

This will cause a D.O.S attack on your Active Directory if you properly write the relevance, meaning if you do:

(not effective read permission for “Users” of it OR not effective execute permission for “Users” of it ) of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\AppData\MyDir\MyFile.tmp”)

X 10 (files) and then X 100000+ computers, this will cause each machine to go query AD 10 times for each file, every evaluation cycle (10 mins) on 100000+ computers.

Thats a whole lot of AD querying and will take down any resilient AD infra easily. It will cause many headaches, such as no authentication for logons, no access to domain resources (ie, file access to shares), etc. Needless to say, that’s a big outage.

Please use caution when constructing a query such as these and remember that what you do manually to get this information, ie. right-click on the file > properties > permissions > effective permissions as Ben mentioned, envision that in scale.

Warning issued. :slight_smile:

Thanks,

Brian

6

(imported comment written by Robert_Whelan91)

Hello Guys,

I really do appreciate the warnings and that’s why I was being careful about exactly what we did. In this case we are early in a deployment and I only have around 6,000 clients. The relevance statement does a read on a reg key and cuts the number to around 300. We are then checking the permission on a single targeted file for the condition. (BTW this is to fix a bug in the automatic update of Cisco AnyConnect 2.2). If the condition exist we download xcacls and flip the inherit flag back on. These machines are spread all over the US and are covered by over 550 DC’s.

I don’t think anyone is going to notice the query. But if you hear about any large scale network outages on the news you’ll know the inside story. :wink:

Thanks again for the help.

Robert

7

(imported comment written by Robert_Whelan91)

Ben Kus

What about something like this:
(not effective read permission for “Users” of it OR not effective execute permission for “Users” of it ) of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\AppData\MyDir\MyFile.tmp”)
Ben

Hello Ben,

Sorry to open this up again. It turn out that’s not working like I thought. Can you tell me what’s might be wrong here:

Q: (not effective read permission for “Users” of it OR not effective execute permission for “Users” of it ) of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

E: Singular expression refers to nonexistent object.

Q: exist file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

A: True

Thanks

Robert

8

(imported comment written by jessewk)

Do any of these produce the singular expression error?

Q: exists security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

Q: exists dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

Q: exists effective read permission for “Users” of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

Q: exists effective execute permission for “Users” of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

And this one will most likely fix the problem:

Q: (disjunction of (not effective read permissions for “Users” of it ; not effective execute permissions for “Users” of it )) of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

Jesse

9

(imported comment written by Robert_Whelan91)

Thanks for the quick reply. Here is the output with the file permssions in the correct state:

Q: exists security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

A: True

Q: exists dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

A: True

Q: exists effective read permission for “Users” of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

A: False

Q: exists effective execute permission for “Users” of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

A: False

Q: (disjunction of (not effective read permissions for “Users” of it ; not effective execute permissions for “Users” of it )) of dacls of security descriptors of file (expand environment string of “%25ALLUSERSPROFILE%25\Application Data\Cisco\Cisco AnyConnect VPN Client\VPNManifest.dat”)

E: A singular expression is required.

What is really confusing me is the doc’s.:

Snip>>>>

“A Guide to the BigFix Windows Inspectors” Page 261:

Q: effective access mode for “Administrators” of dacls of security descriptors of system folder as hexadecimal

E: Singular expression refers to nonexistent object.

Q: effective append permission for “Power Users” of dacls of security descriptors of windows folder

E: Singular expression refers to nonexistent object.

Q: effective synchronize permission for “Administrators” of dacls of security descriptors of system folder

E: Singular expression refers to nonexistent object.

Snip>>>>

Thanks for your quick reply and help.

Robert

10

(imported comment written by BenKus)

Hey Robert,

That is interesting… Our inspector makes the same Microsoft API call as the following (please try this on the same file):

  • Right click on the file
  • Go to properties
  • Click on the security tab
  • Go to “advanced”
  • Go to “effective permissions”

See if that gives you the information you are looking for or if it throws some sort of error…

Ben

11

(imported comment written by Robert_Whelan91)

Hello Ben,

I did get you message and thank you for your call.

See if that gives you the information you are looking for or if it throws some sort of error…

I tried that and everything works fine.

For Paul: QNA version = 7.0.9.164

I wanted to keep this simple and understand the problem before I muddy the waters anymore with our specific query. So, staying with the samples on page 261 I popped over to another VM running Vista as opposed to XP, ran the samples and they worked. That led me to look at the diff between the two machines. One thing I noted is that I was using a domain account on Vista and not XP. Keep in mind that both accounts have local Admin rights. However, the XP account was local to the machine.

Here you go.

Logged in to a domain account with local Admin rights:

Q: effective access mode for “Administrators” of dacls of security descriptors of system folder as hexadecimal

A: 1f01ff

Q: effective append permission for “Power Users” of dacls of security descriptors of windows folder

E: Singular expression refers to nonexistent object.

Q: effective synchronize permission for “Administrators” of dacls of security descriptors of system folder

A: True

Q: effective create folder permissions for “Administrators” of dacls of security descriptors of folders of folder "c:"

A: True

A: True

A: True

A: False

A: True

A: True

A: True

Logged in with local machine Admin account:

Q: effective access mode for “Administrators” of dacls of security descriptors of system folder as hexadecimal

E: Singular expression refers to nonexistent object.

Q: effective append permission for “Power Users” of dacls of security descriptors of windows folder

E: Singular expression refers to nonexistent object.

Q: effective synchronize permission for “Administrators” of dacls of security descriptors of system folder

E: Singular expression refers to nonexistent object.

Q: effective create folder permissions for “Administrators” of dacls of security descriptors of folders of folder "c:"

A: False

It seems to us that this may be problematic since the BESClient is a local account to the machine. I didn’t have a chance to look further into the API you might be using yet. I’m also wondering if it would work if I changed the login account of the BESClient to a domain account and granted it login as service privileges etc… Obviously, this would not be a good solution but would only prove out the point the API call expects access to the domain.

The bottom line is this explains why I’ve been struggling with some of these commands and started the thread. Something I expected to work in the debugger kept throwing errors and it made me believe it was syntax problems or a complete lack of understanding of the relevance language. (I still don’t get it though. :slight_smile:

Thanks

Robert

12

(imported comment written by BenKus)

Hey Robert,

I just tried it on 3 computers: WinVista (domain account), WinXP (local admin), and Win2003 (local admin) and it worked fine on all 3… So it doesn’t seem like these results match yours… Also, we know that many customers have deployed this before and haven’t seen any issues.

I am not sure why this isn’t working on your computer. Here is the exact API call we use:

http://msdn.microsoft.com/en-us/library/aa446637(VS.85).aspx

If this API fails, it will return “Singular expression refers to nonexistent object.”

Perhaps you can try on a few more computers and see if there is a pattern on which computers work and which don’t?

Ben

13

(imported comment written by Robert_Whelan91)

Ben Kus

Perhaps you can try on a few more computers and see if there is a pattern on which computers work and which don’t?

Hello Ben,

This mystery gets deeper and deeper. I still see the same results but it appears this has to do with changing the domain of the computer. Many of the machines have been migrated to a new domain and thats when the problem appears. Bottom line is that when a computer is moved from one domain to another the relevence statement no longer works when issued from a local account on the machine. (One of my VM’s went from a lab domain to production.)

I found another example of this here:

http://www.derkeiler.com/Newsgroups/microsoft.public.platformsdk.security/2007-11/msg00011.html

I’m not sure if this might be related:

http://support.microsoft.com/kb/q262278/

I’ll let you chew on it then we may need some help finding another way to skin this cat.

Thanks

Robert

14

(imported comment written by fred16691)

FYI, this problem is fixed in AnyConnect 2.2.0133.

15

(imported comment written by Robert_Whelan91)

fred166

FYI, this problem is fixed in AnyConnect 2.2.0133.

Yep, we’re the ones that found it and reported it. We also kept it at a P2 until we got the latest build.

The fact the you know this interests me. Can you drop me a note and compare some notes?

robert.whelan/at/gmail.com

Thanks

Robert