Avatar of Mr. Be@n
Mr. Be@n
 asked on

Modifying folder permissions with Powershell.

Hello everyone,
It has been revealed to us from a vulnerability scan that a program that many people use has an ACE of Everyone, Full Control. I have found that I am able to remove that entry and replace it with Authenticated users, Read and Execute and the program still works. Real dick move from these developers!!!  I am now in the process writing a PowerShell script to accomplish this.  Here is the script that I have so far:

$Acl = Get-Acl "C:\Program Files (x86)\Fakeprogram\subfolder"
$AU = New-Object System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", "ReadAndExecute" , "Allow")
$Everyone = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "FullControl" , "Allow")
$Acl.addAccessRule($AU)
$Acl.RemoveAccessRule($Everyone)
Set-Acl "C:\Program Files (x86)\Fakeprogram\subfolder"  $Acl


The result of this is that it adds the authenticated users group, but on the security tab, it just says, "special permissions," you go to advanced and then you see that Read & Execute and the Everyone group is the same way after this, but it says full control in the Advanced permissions and that is obviously not true because I now get prompted for admin credentials when I go to change the permissions back in the GUI.  I am frustrated with this one, because I read a bunch of things online about this, did what everyone told me and these are the results that I am getting.  Can anyone tell me if  I am doing anything wrong that is causing all this weirdness?  I think that you can all imagine that I am just trying to remove Everyone: Full Control and add Authenticated Users Read and Execute and have look as if I did it through the GUI.  
PowershellWindows OSWindows NetworkingWindows Server 2008Windows Server 2003

Avatar of undefined
Last Comment
oBdA

8/22/2022 - Mon
DEMAN-BARCELO (MVP) Thierry

Hi,
changing ACL from "EveryOne" to "Authenticated Users" is not a big change!
The only difference is "guest users" who are probably not enabled.

Now, the problem that you have, is that "administrators" are members of "authenticated users" as all other users. So, they have the same restrictions (Read and Execute) as all other normal users.
You should create another ACL(ACE) entry to let all permissions to admin users.

Take also care of inherited or not inherited permissions.
Bembi

I guess you have to separate, if a permission is set to the current folder, including subfolder and items...
Or in other word, if they inherit or not.
Only if all settings fit the default read & execute permission (including inheritance), then you see it as read & execute.


Mr. Be@n

ASKER
First changing from Everyone to Authenticated users is a pretty big, because that means that not just any idiot can walk into the building and have access to something.  They have to be domain users.  Also it is being changed from full control to read and execute.  Let me really spell this out:



going from Everyone: Full control   to Authenticated users: Read and Execute  ----Yeah I'd say that is a big difference!!!!!

Is there something I am not communicating correctly?  Is there something wrong with my question?  The responses that I just got seem to have nothing to do with my question and it is really annoying.  Is there some kind of way I can rephrase my question?  Is it me?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
oBdA

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.