Solved

alternative to security > advanced > effective permissions

Posted on 2013-06-26
5
417 Views
Last Modified: 2013-07-15
I have been tasked with auditing 5x windows 2003 file servers to see what data on the many shares is accessible by domain wide groups such as everyone and domain users. Aside from just creating an account and only adding it to the domain users group, and then manually mounting the shares and seeing what access can I get to, are there any tools that can do an effective permissions report?

I did find sysinternals "accessChk" however I dont think its going to work, from what I gather it is not reporting on nested groups, so if domain users is added to a group, it wont report it as a finding. So an effective permissions report whether the domain users group is added to the ACL directly, or has access as it is a nested group within a group - would be fantastic. From what I can see accessEnum wont work either due to the same problem.

There must be a more sophisticated way of doing this rather than manual trawling.
0
Comment
Question by:pma111
5 Comments
 
LVL 9

Accepted Solution

by:
VirastaR earned 167 total points
ID: 39277364
0
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 167 total points
ID: 39277407
If the acl is set for a group and not a specified user than it will only return the 'group' and not a specific user.. you have to know what users are members of a particular group and then cross reference the information.

another way is to get a list of users and then run a script on all directories as that user and report the information out.
0
 
LVL 3

Author Comment

by:pma111
ID: 39280776
Does accessEnum only work at folder level (or can you configure it to) and not report on every single file on a share?
0
 
LVL 3

Author Comment

by:pma111
ID: 39280804
>another way is to get a list of users and then run a script on all directories as that user and report the information out.

Have you ever come across such?
0
 

Assisted Solution

by:Nate15329
Nate15329 earned 166 total points
ID: 39282781
DumpSec (freeware) works pretty well for dumping security permissions for file, network, shares, etc.

Run as domain admin

Just don't install hydra when running the setup.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Assess most serious Linux privilege escalation bug 17 163
Sweet32 Vulnerability in Microsoft IIS7.5 6 286
Questions about DHCP migration 5 55
PCI compliance 16 30
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Learn about cloud computing and its benefits for small business owners.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now