Checking ACL's on 60000 Folders - Advice needed

Checking ACL's on 60000 Folders - Advice needed
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Checking ACL's on 60000 Folders - Advice needed Dominick 02-14-2006
Posted by =?Utf-8?B?RG9taW5pY2s=?= on February 14, 2006, 4:48 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hey guys;

I need some advice on how I can check ACL permissions on 60000 Folders on a
network.

It seems the old admin, added (2) domain groups he wasnt supposed to, to the
Main folders, and it inherited the 2 domain groups into all the subfolders.
(Leaving things wide open)

Instead of me checking each folders ACL permissions 1 folder at a time, is
there an easier way?

They ran xcalcs, but its not giving an accurate reading, its showing the
LIST permission as a READ permission.

Open to all advice. Thanks in Advance.

Posted by Roger Abell [MVP] on February 14, 2006, 8:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
There are various third-party tools that can provide reports,
such as dumpsec. However for that volume of folders the
reports will be laborious to dig through.
What I would do in your circumstance is see if it is more
direct to define what is supposed to be the ACLing over
the folders. If possible perhaps introduce some restructuring
at the same time to simplify / minimize that amount of variance.
Then, I would define a security template that states what should
be the ACLing. This template I would NOT import into any
GPO but instead would use to analyze against the template or
to (re)apply the ACLing when needed/desired.

> Hey guys;
>
> I need some advice on how I can check ACL permissions on 60000 Folders on
> a
> network.
>
> It seems the old admin, added (2) domain groups he wasnt supposed to, to
> the
> Main folders, and it inherited the 2 domain groups into all the
> subfolders.
> (Leaving things wide open)
>
> Instead of me checking each folders ACL permissions 1 folder at a time, is
> there an easier way?
>
> They ran xcalcs, but its not giving an accurate reading, its showing the
> LIST permission as a READ permission.
>
> Open to all advice. Thanks in Advance.



Posted by Michael Bednarek on February 15, 2006, 5:22 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Tue, 14 Feb 2006 13:48:29 -0800, Dominick wrote in
microsoft.public.security:

>I need some advice on how I can check ACL permissions on 60000 Folders on a
>network.
[snip]

I similar situations, albeit not with 60,000 directories, I used
AccessEnum from Sysinternals. YMMV.

--
Michael Bednarek http://mbednarek.com/ "POST NO BILLS"

Posted by Gerry Hickman on February 15, 2006, 4:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

First thing to do is find out if they are inherited or not. If they are
inherited, you may only need to change two folders at the top of the
tree and the jobs done.

You can quickly see if they're inherited by picking a file in a
sub/sub/sub folder and see if it shows tick boxes as lit up or grayed out.

Dominick wrote:
> Hey guys;
>
> I need some advice on how I can check ACL permissions on 60000 Folders on a
> network.
>
> It seems the old admin, added (2) domain groups he wasnt supposed to, to the
> Main folders, and it inherited the 2 domain groups into all the subfolders.
> (Leaving things wide open)
>
> Instead of me checking each folders ACL permissions 1 folder at a time, is
> there an easier way?
>
> They ran xcalcs, but its not giving an accurate reading, its showing the
> LIST permission as a READ permission.
>
> Open to all advice. Thanks in Advance.


--
Gerry Hickman (London UK)

Similar ThreadsPosted
virus / spyware scans advice needed October 4, 2007, 11:55 am
Tool for checking security on network folders - Win2K3 February 4, 2007, 6:46 am
Re: "Broken"/unknown ACL's? November 23, 2005, 12:42 pm
"Broken"/unknown ACL's? November 22, 2005, 5:50 pm
CRL Checking.... February 13, 2007, 12:25 pm
Help me Please!!!!!!! Bypass traverse checking May 12, 2006, 10:32 am
MSBA - Password Complexity Checking July 7, 2005, 11:15 am
Bypass Traverse Checking not working September 19, 2005, 12:24 am
Checking Folder Ownership and Permissions in VBScript November 11, 2005, 2:50 pm
OS Batch/CL Checking a Volume for Suspicious email addresses January 11, 2007, 11:52 am

The site map in XML format XML site map

Contact Us | Privacy Policy