The Problem
In my environment, I got about 200 VM and some of the servers physical servers and others in a remote site. One of the critical security issues is the open share, where the users can Read/Write/Delete data, usually, these shares are created due to a misconfigured share, or shares that are intended to be temporary and then suddenly these shares became critical and placed for production.
Power users who have the ability to create share and manage permission may forget to set proper permission, sometimes they follow the easy way of Grant Everyone everything in both NTFS and share, which expose all the files to all the users in some cases these files are critical files.
There are several scripts on the Internet to search for share folder in the servers, but usually the result will be slow, incompatible, or with a lot of noise, such as Admin share. Also, another challenge is even after getting the share list, how can the admin confirm if a user can Access/Read/Write/Delete files in the shared folder without going though the long list of ACL for both share and NTFS?!
Powershell Script
To address this issue, I created a Powershell script that will do the following
- Get a list of all AD Computer using filter operatingsystem -like "*server*" so only servers are retrieved.
- Test the computer reachability and ensure that it's responding
- For each server matching the filter, get the share list using WMI query. The share list only include the Folders and Admin Share such as Admin$, C$, IPC$ ..., excluding printers
- The Script can read cluster share
- If Impersonation parameter is set to $true then the script will request to use another user credentials to perform Access,Write, Read, Delete on each share, usually these credential are for a limited user:
- Create a PSDrive and assign any available letter to the drive, this will use any available letter. At least make sure that you have 1 available letter :)
- If the Map was success, then the users can Access and the Access is set to Yes, else, all the other test will stop as I assume that if the user don't have the right to access a folder so this user wont have write, read or delete access permissions.
- If the Access was success, then the script proceeds in Writing a file to the destination as AdcciTestPSWrite.txt
- If The Write was success, the script will proceed in Reading it.
- The last step is to remove the created file, and the result will be updated
- The script will not remove random files, it will only try to remove the file it wrote as part of the test.
Limitations:
- The script may report that the user has full access (Access, Read, Write, Delete) in a folder where Creator Owner has full control, such as Folder Redirection, Home Folder. I will fix this issue in the coming version. But for now its good :).
- There might be a duplicated result when the file server cluster have muti rules. also will work on fixing this issue on the next version.
Output
The output is a CSV file, you can format it in the way you want that show the folder name and a table of the permission the impersonated user can do
Download the scrip, try it and let me know
https://drive.google.com/drive/folders/1NL8YqCI1jBWzhtcWNcMCRihjp2Tn3nJa?usp=sharing
You can reach me farisnt@gmail.com
No comments:
Post a Comment