Question

Locked

How to get a grip on NTFS permissions

By reinier ·
I'm working on a new tool to display NTFS permissions for a single user/group or for a whole group of users. It shows an aggregated view of effective NTFS permissions and it lets you 'zoom in' to see where the permissions come from (via what group membership or parent folder). Now I'm wondering how you guys manage your NTFS permissions and if a new tool may help you validate your access control design. With validate I mean that you might have a policy or good practice for your AD groups/users and NTFS permissions and that you want to validate if your policy is actually implemented that way. For example, you have a policy that all freelancers are placed in a group called "External" and this group is not allowed to read anything in the folder \\data\HR and may only modify data in \\data\projects\external. Now you want to validate if that is actually the case. Even more challenging, you want to validate that none of the users in the group External can read in the HR folder (by implicit group membership or explicit user permissions).

Now I have two questions, do you use any tools for this or do you not consider this to be a problem? Second, may a new tool help you in this process in order to get a grip on all the NTFS permissions in your network?

Most of the tools I know of can only dump the ACL information in a file, or they can filter on a member without including group membership. All of them scan the whole directory tree every time you want to apply a new filter, which may take ages to complete. And again, they don't show effective permissions with the ability to trace where permissions come from, so that you can solve a possible security flaw.

This new tool I'm writing is ready for beta testing, send me a message if you're interested in trying the tool. Documentation is still in progress, but the tool will take your through some first-use steps. See the following screenshots for a quick impression:

https://dl.dropboxusercontent.com/u/57634515/Scan_folders_and_LDAP.png
https://dl.dropboxusercontent.com/u/57634515/Filters.png
https://dl.dropboxusercontent.com/u/57634515/View_permissions.png
https://dl.dropboxusercontent.com/u/57634515/Trace_permissions.png
https://dl.dropboxusercontent.com/u/57634515/Reports.png

This conversation is currently closed to new comments.

0 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Share your knowledge
Back to Security Forum
0 total posts (Page 1 of 1)  

Related Discussions

Related Forums