CQURE 5-Day Challenge – Day 2: Auditing Permissions

CQURE 5-Day Challenge – Day 2: Auditing Permissions

Welcome to Day 2 of CQURE’s 5-Day Challenge. You can find it here.

This is not a challenge per se. More so a list of instructions aimed to get you started with ACLs. I highly recommend going through each step.

One of the steps shows how to get the numeric value of file system rights. The below PowerShell code outputs to the console all possible values.

foreach ($right in [System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights])) {
    $intValue = [int]([System.Security.AccessControl.FileSystemRights]$right)
    Write-Host ("{0,-30} : {1}" -f $right, $intValue)

The most interesting command from the assessment, at least for me, is the one to get all user / group permissions on an object. For example:

Get-Acl C:\Windows | Select-Object -ExpandProperty Access

I think this would be the start in building an auditing tool that checks for permission conflicts, for example checking if a user / group has both deny and allow for a particular permission. The challenge in building such a tool comes from the fact that some permissions are inherited. Even if a user has explicitly been granted allow for an action, it may get a deny by being member of a group. The resulting permission depends on the order that these are registered.

From the ‘Access’ property of the ACL, we can use the ‘IdentityReference’ field to find out more about that user / group. See below code:

$ntAccount = New-Object System.Security.Principal.NTAccount('BUILTIN\Administrators')
$accountSID = $ntAccount.Translate([System.Security.Principal.SecurityIdentifier])
$adEntry = [ADSI]"LDAP://<SID=$($accountSID.Value)>"

The first line creates a new object of type ‘NTAccount’, which represents a user or group account. The second line takes the account and retrieves its SID. The last line searches the AD for said account using the SID and returns an object of type ‘DirectoryEntry’ if it’s found.

There’s definitely a lot more info here about an account and it sure allows you to discover if it’s a user or further enumerate accounts in case of a group. I’m sure there are other ways to get the same results but the best one if the one you know, so I’m going to stick with it. Feel to use these as the starting blocks in automating your permission checks.

This is all I had to say about CQURE’s Day 2 Challenge.