Hello All
I have a problem with several hundred machines and need to check some file permissions as this user is really important to the Windows got patched properly. I need to create and automatic group using relevance to report the VMs that not have present the user “sppsvc” on the directory “C:\Windows\System32\spp\store\2.0”
I am using the following relevance statement:
Q: exists it whose(it = TRUE) of effective write permissions for “sppsvc” of dacls of security descriptors of folder "C:\Windows\System32\spp"
A: False
T: 0.119 ms
When I run against the SPP directory the answer is correct but when I try to point to the 2.0 folder I am receiving the following answer:
Q:exists it whose(it = TRUE) of effective write permissions for “sppsvc” of dacls of security descriptors of folder "C:\Windows\System32\spp\store\2.0"
E: Singular expression refers to nonexistent object.
I Just need a boolean that answer false if the user “Nt Service\sppsvc” does not have write permissions to the directory
C:\Windows\System32\spp\store\2.0.
Could you help to create a functional relevance to my automatic group?
Thank you
Allan
You’re hitting a problem with 32-bit redirection. The “folder” inspector, like everything else BESClient, defaults to the 32-bit paths, so it’s actually looking at \windows\syswow64\spp (which exists, but does not have a ‘store’ subdirectory.
Try either ‘native folder’ or ‘native system folder’ to get the right path
Q:exists it whose(it = TRUE) of effective write permissions for "sppsvc" of dacls of security descriptors of folder "C:\Windows\System32\spp\store\2.0"
E: Singular expression refers to nonexistent object.
Q:exists it whose(it = TRUE) of effective write permissions for "sppsvc" of dacls of security descriptors of native folder "C:\Windows\System32\spp\store\2.0"
A: False
T: 39.558 ms
I: singular boolean
F: Fingerprintable: true, Path: 0x00000001, Path Sum: 0x00000000, Bits: 0x80000000, Global Sum: 0x00000ab6, Seems Unchanged: true
Q:exists it whose(it = TRUE) of effective write permissions for "sppsvc" of dacls of security descriptors of folder "spp\store\2.0" of native system folder
A: False
T: 38.842 ms
I: singular boolean
F: Fingerprintable: true, Path: 0x00000001, Path Sum: 0x00000000, Bits: 0x80000000, Global Sum: 0x00000ab6, Seems Unchanged: true
1 Like
Thank you Jason
I tried but I am receiving an incorrect answer:
Q: exists it whose(it = TRUE) of effective write permissions for “Nt Service\sppsvc” of dacls of security descriptors of native folder "C:\Windows\System32\spp\store\2.0"
A: False
T: 112.466 ms
Q: exists it whose(it = TRUE) of effective write permissions for “sppsvc” of dacls of security descriptors of native folder "C:\Windows\System32\spp\store\2.0"
A: False
T: 1.861 ms
Q: exists it whose(it = TRUE) of effective write permissions for “sppsvc” of dacls of security descriptors of folder “spp\store\2.0” of native system folder
A: False
T: 1.055 ms
It is working correctly for the group administrator:
Q: exists it whose(it = TRUE) of effective write permissions for “Administrators” of dacls of security descriptors of folder “spp\store\2.0” of native system folder
A: True
T: 90.500 ms
But not sure why is not working for “Nt Service\sppsvc” or just “sppsvc”
Regards
At first I thought the account name may need to be specified differently or it was case-sensitive…here’s how I figured out the real account name, but in my follow-up case-insensitive tests, it seems to work for me the way you wrote it (though you do have to specify NT SERVICE\sppsvc )
Q: (trustee of it, write permission of it) of entries of dacls of security descriptors of folder "spp\store\2.0" of native system folder
A: NT AUTHORITY\SYSTEM, True
A: BUILTIN\Administrators, True
A: NT SERVICE\sppsvc, True
A: BUILTIN\Users, False
A: BUILTIN\Users, False
T: 18.611 ms
I: plural ( security identifier, boolean )
q: effective write permissions for "NT SERVICE\sppsvc" of dacls of security descriptors of folder "spp\store\2.0" of native system folder
A: True
T: 13.551 ms
I: plural boolean
q: effective write permissions for "NT SERVICE\sppsvc" of dacls of security descriptors of folder "spp\store\2.0" of native system folder
A: True
T: 9.023 ms
I: plural boolean
q: exists it whose (it = true) of effective write permissions for "Nt Service\sppsvc" of dacls of security descriptors of folder "spp\store\2.0" of native system folder
A: True
T: 5.004 ms
I: singular boolean
q: exists it whose (it = true) of effective write permissions for "sppsvc" of dacls of security descriptors of folder "spp\store\2.0" of native system folder
A: False
T: 0.866 ms
I: singular boolean
1 Like
Hi Thank you again
I am not receiving an answer for the query just the timing :
q: effective write permissions for “NT SERVICE\sppsvc” of dacls of security descriptors of folder “spp\store\2.0” of native system folder
T: 201.773 ms
q: (trustee of it, write permission of it) of entries of dacls of security descriptors of folder “spp\store\2.0” of native system folder
A: NT AUTHORITY\SYSTEM, True
A: BUILTIN\Administrators, True
A: NT SERVICE\sppsvc, True
A: BUILTIN\Users, False
A: BUILTIN\Users, False
T: 122.334 ms
Q: exists it whose (it = true) of effective write permissions for “NT SERVICE\sppsvc” of dacls of security descriptors of folder “spp\store\2.0” of native system folder
A: False
T: 116.528 ms
Do I missing something?
Thank you
I’d stick with using “write permission” rather than “effective write permission”. These dacls are explicit for this account, so there’s no need to unwind its group memberships - that may be timing out or perhaps invalid for an NT SERVICE account.
No luck.
q: write permission for “NT SERVICE\sppsvc” of dacls of security descriptors of folder “spp\store\2.0” of native system folder
E: The operator “write permission for” is not defined.
Q: exists it whose (it = true) of write permission for “NT SERVICE\sppsvc” of dacls of security descriptors of folder “spp\store\2.0” of native system folder
E: The operator “write permission for” is not defined.
Did this one work?
q: exists it whose (it = true) of effective write permissions for "Nt Service\sppsvc" of dacls of security descriptors of folder "spp\store\2.0" of native system folder
A: True
(I know, I said avoid the “effective write”, I’ll post the explicit dacl version when I get back to a computer)
It is not answering correctly not sure why:
q: (trustee of it, write permission of it) of entries of dacls of security descriptors of folder “spp\store\2.0” of native system folder
A: NT AUTHORITY\SYSTEM, True
A: BUILTIN\Administrators, True
A: NT SERVICE\sppsvc, True
A: BUILTIN\Users, False
A: BUILTIN\Users, False
T: 198.381 ms
Q: exists it whose (it = true) of effective write permissions for “Nt Service\sppsvc” of dacls of security descriptors of folder “spp\store\2.0” of native system folder
A: False
T: 192.804 ms
Q: exists it whose (it = true) of effective write permissions for “NT SERVICE\sppsvc” of dacls of security descriptors of folder “spp\store\2.0” of native system folder
A: False
T: 110.957 ms
Ok, then, back to my earlier thought on “check explicit permissions”. The “effective permission” require unwinding group memberships, and maybe in a Domain environment that’s taking too long or failing outright for “NT SERVICE” accounts. Not sure, my lab isn’t domain-joined right now.
See if this check on explicit dacls works…
q: exists entries whose (trustee of it as string as lowercase = "NT SERVICE\sppsvc" as lowercase and write permission of it) of dacls of security descriptors of folder "spp\store\2.0" of native system folder
A: True
Works perfectly:
Q: exists entries whose (trustee of it as string as lowercase = “NT SERVICE\sppsvc” as lowercase and write permission of it) of dacls of security descriptors of folder “spp\store\2.0” of native system folder
A: True
T: 3.259 ms
Again thank you very much
1 Like