Where on a Domain is an ACL Applied?

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

My Security guys tell me this can't be done and I just don't believe them.
I've got an ACL on a Windows 2000 Domain and I'd like to know all the objects
on the doamin that this ACL has been applied. Really I'm looking for what
Directories/Shares does this ACL have permissions?

Are my Security guys correct?

Martin

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

There is not magic button to push on a domain controller that will give you that
information. There are third party tools that may be able to help. For instance
ShareEnum can scan network computer shares for permissions which may help and it is
free. There are other network scanners that may not be free that can do a lot more.
LanGuard can scan the network with lots of options and they have a free trial full
function download you can try. -- Steve

http://www.sysinternals.com/ntw2k/source/shareenum.shtml
http://www.gfi.com/lannetscan/

"Martin Kelly" <Martin Kelly@discussions.microsoft.com> wrote in message
news:1AF32C47-9A33-424C-86D9-6AB15868AD05@microsoft.com...
> My Security guys tell me this can't be done and I just don't believe them.
> I've got an ACL on a Windows 2000 Domain and I'd like to know all the objects
> on the doamin that this ACL has been applied. Really I'm looking for what
> Directories/Shares does this ACL have permissions?
>
> Are my Security guys correct?
>
> Martin

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

First off you need to understand your terms.

An ACL is a security structure that contains ownership information as well as
auditing information as well as permissioning information. I do not believe
there is a tool in existence that will check for duplicate ACL across all
securable resources in a network.

Most likely you are looking for where a given security principal has been added
to an ACL to grant access. Security principals are added to ACEs which are in
the permission section of an ACL.

Even checking all securable resources for a specific security principal is
rather difficult. Too difficult and luckily MS has realized this and working
towards a better future, but that is in the future. Right now, something would
need to scan the ACL of every securable resource looking for that ACE. This is
non-trivial. Breaking it down to specific securable resources such as
Directories and shares makes it easier but doesn't make it easy as every object
(i.e. every file, every directory, every share) still has to be scanned for the
security principal.

There are third party tools out there that claim to do this, you can also invest
time in writing scripts to do so. For most people, the answer is generally no,
this can't be done but it is strictly a feasibility issue, not actually
technically impossible. It comes down to how much money do you want to spend to
get the answer.

The is all countered by having extremely strong standards for securing objects
and severely punishing deviations from that standard when found.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Martin Kelly wrote:
> My Security guys tell me this can't be done and I just don't believe them.
> I've got an ACL on a Windows 2000 Domain and I'd like to know all the objects
> on the doamin that this ACL has been applied. Really I'm looking for what
> Directories/Shares does this ACL have permissions?
>
> Are my Security guys correct?
>
> Martin

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

"Martin Kelly" <Martin Kelly@discussions.microsoft.com> wrote in message
news:1AF32C47-9A33-424C-86D9-6AB15868AD05@microsoft.com...
> My Security guys tell me this can't be done and I just don't believe them.
> I've got an ACL on a Windows 2000 Domain and I'd like to know all the
objects
> on the doamin that this ACL has been applied. Really I'm looking for what
> Directories/Shares does this ACL have permissions?
>
> Are my Security guys correct?

Probably. Checking ACLs is not easy and usually requires third party tools
plus admin privileges, and you get a lot of data. You also need different
tools to check different kinds of objects.

As far as I know, you can't just apply an ACL to a domain. ACLs are applied
to each object, file, file share, etc. Different objects get different
kinds of ACLs depending on what kinds of actions you can perform against
that object, so there is no such thing as one universal ACL. You also need
to use many different tools to apply ACLs depending on what object you want
to apply the ACLs onto, what server the object is on, etc. To check the
ACLs, you have to check the ACLs for every file, file share, etc. You first
need to determine what and where you want to check for ACLs, e.g. what
folder, file, file share, web page, database table, server OS permissions
like backup and reboot, etc.

So you first need to know and and be able to answer the question, are you
checking files on a particular server? etc.