(imported topic written by kcmeaton91)
Is there a way to report on all shares and share permissions (Even if the permissions are user etc)
(imported comment written by BenKus)
Try this:
q: (name of it, path of it, (if (not exists entries of dacls of security descriptors of it) then “n/a” else ((trustee of it as string & “:” & (if ( read permission of it) then “R” else “”) &(if ( write permission of it) then “W” else “” )) of entries of dacls of security descriptors of it))) of network shares
A: ADMIN$, C:\Windows, n/a
A: C$, C:, n/a
A: IPC$, , n/a
A: test, C:\temp\test, BUILTIN\Administrators:RW
A: test, C:\temp\test, \Everyone:RW
I think this property should work without issue, but I am always worried about when user permissions are looked up because I fear weird Windows behaviors that trigger Active Directory queries for domain users… I am pretty sure it won’t happen in this case, but I suggest that you be cautious and have this property only run rarely (once a day maybe)…
Ben
(imported comment written by hbkrules6991)
Hi Ben…sorry to bump this back up…but how can we exclude the default shares…i.e… Admin$, C$, IPC$$ etc…?
(imported comment written by BenKus)
Maybe try this?
q: (name of it, path of it, (if (not exists entries of dacls of security descriptors of it) then “n/a” else ((trustee of it as string & “:” & (if ( read permission of it) then “R” else “”) &(if ( write permission of it) then “W” else “” )) of entries of dacls of security descriptors of it))) of network shares whose (name of it does not contain “$”)
Ben
(imported comment written by hbkrules6991)
Ben thanks…and my apologies but the person looking for this gave me a different search…how about just reporting on what drive letters have a share that does not contain $…i.e… if only c$ is shared, then ignore it, but if there is a shared folder under the C$, then …i was thinking something like this
names of drives of it of network shares whose (name of it does not contain “$”)
Thanks!
(imported comment written by hbkrules6991)
bump
(imported comment written by BenKus)
It seems that the relevance that you posted should do what you are looking for… does it appear to meet your needs?
Ben
(imported comment written by hbkrules6991)
Hi Ben…yeah i tried it and it does not return anything…even though there are shares that do not contain $…
(imported comment written by BenKus)
Try this:
names of network shares whose (name of it does not contain “$”)
Ben
(imported comment written by anthonymap91)
Did anyone see any negative affect of this analysis? I was going to enable this and just wanted to check.
Thanks
If you want to make this more accurate, you can do the following to only exclude true administrative shares, and not a custom share that uses a $ sign to hide it:
…of network shares whose (type of it != 2147483648 AND type of it != 2147483651 AND type of it != 3221225472 AND name of it != “print$” AND name of it != “prnproc$”)