Link to home
Start Free TrialLog in
Avatar of Mr. Be@n
Mr. Be@n

asked on

Modifying folder permissions with Powershell.

Hello everyone,
It has been revealed to us from a vulnerability scan that a program that many people use has an ACE of Everyone, Full Control. I have found that I am able to remove that entry and replace it with Authenticated users, Read and Execute and the program still works. Real dick move from these developers!!!  I am now in the process writing a PowerShell script to accomplish this.  Here is the script that I have so far:

$Acl = Get-Acl "C:\Program Files (x86)\Fakeprogram\subfolder"
$AU = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", "ReadAndExecute" , "Allow")
$Everyone = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl" , "Allow")
$Acl.addAccessRule($AU)
$Acl.RemoveAccessRule($Everyone)
Set-Acl "C:\Program Files (x86)\Fakeprogram\subfolder"  $Acl


The result of this is that it adds the authenticated users group, but on the security tab, it just says, "special permissions," you go to advanced and then you see that Read & Execute and the Everyone group is the same way after this, but it says full control in the Advanced permissions and that is obviously not true because I now get prompted for admin credentials when I go to change the permissions back in the GUI.  I am frustrated with this one, because I read a bunch of things online about this, did what everyone told me and these are the results that I am getting.  Can anyone tell me if  I am doing anything wrong that is causing all this weirdness?  I think that you can all imagine that I am just trying to remove Everyone: Full Control and add Authenticated Users Read and Execute and have look as if I did it through the GUI.  
Avatar of DEMAN-BARCELO (MVP) Thierry
DEMAN-BARCELO (MVP) Thierry
Flag of France image

Hi,
changing ACL from "EveryOne" to "Authenticated Users" is not a big change!
The only difference is "guest users" who are probably not enabled.

Now, the problem that you have, is that "administrators" are members of "authenticated users" as all other users. So, they have the same restrictions (Read and Execute) as all other normal users.
You should create another ACL(ACE) entry to let all permissions to admin users.

Take also care of inherited or not inherited permissions.
I guess you have to separate, if a permission is set to the current folder, including subfolder and items...
Or in other word, if they inherit or not.
Only if all settings fit the default read & execute permission (including inheritance), then you see it as read & execute.

User generated image
Avatar of Mr. Be@n
Mr. Be@n

ASKER

First changing from Everyone to Authenticated users is a pretty big, because that means that not just any idiot can walk into the building and have access to something.  They have to be domain users.  Also it is being changed from full control to read and execute.  Let me really spell this out:



going from Everyone: Full control   to Authenticated users: Read and Execute  ----Yeah I'd say that is a big difference!!!!!

Is there something I am not communicating correctly?  Is there something wrong with my question?  The responses that I just got seem to have nothing to do with my question and it is really annoying.  Is there some kind of way I can rephrase my question?  Is it me?
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial