I need to be able to verify the permissions of a given file. Then, if the permissions are not set correctly, use bigfix script to make the necessary file permissions adjustment.
Can someone provide a good example of how to accomplish this fixlet?
Guys, how would I use and if then statement for querying the current permissions? I am looking something like if c:\software\test.test.exe everyone has full permission, then, execute icals to change to read only.
So, the fixlet relevance would be set to check the file permissions.
Then the fixlet action can be a simple dos command to make a file read only. I think attrib is what you want to look for.
I am thinking to check the security settings like Administrator, System, Users, TrustedInstaller. it is located in the security tab of the file or folder.
This is what I came up, let me know if it makes sense.
if {effective write permission for “Everyone” of dacls of security descriptors of folder “c:\soft”}
waithidden cmd.exe /C cacls.exe C:\soft /E /G Everyone:R
endif
The /E makes cacls edit permissions, so you’d be adding READ but not taking away WRITE.
If you have a set of permissions you want you’d probably do something to set all the permissions, overwriting existing, like waithidden cmd.exe /C cacls.exe C:\soft /G Everyone:R /G Administrators:F /G "NT Authority\SYSTEM":F
Jason, it would be nice to create an analysis query to get the folder permission for a given user. That way one can target specific computers with the folder or file permission set wrong.
Sure, it would be. That’s a loaded question though. You could mean three different things -
Reduce permissions on the folder if there are too many accounts or permissions listed
Add permissions on the folder if there are not enough accounts or permissions listed
Reset permissions on the folder if they do not exactly match what you expect.
I can help you build a relevance for number 3 here, that you could modify slightly to handle cases 1 or 2 as well. To compare all the entries at once, it’s probably easiest to deal with it in native SDDL form. One a reference machine, set the permissions exactly as you want them and then retrieve the SDDL value:
q: dacls of security descriptors of folder "c:\temp"
A: D:AI(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)(A;OICIIOID;GA;;;CO)
T: 0.967 ms
I: plural discretionary access control list
Then you could use this in an Analysis or Fixlet Relevance to compare systems to your reference value:
q: exists folder "C:\temp" whose (exists dacls whose (it as string != "D:AI(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)(A;OICIIOID;GA;;;CO)") of security descriptors of it)
A: False
T: 1.022 ms
I: singular boolean