Security is controlled, in NTFS based file systems, on just a few key concepts. Two of the main concepts are: ACEs (access control entry) and ACLs (access control list). An ACE is a structure applied to an object indicated a specific right required by the object to be accessed. An ACL is a composite list of ACEs used to indicate the full permissions required/applied to an object. In short, an ACE belongs to an ACL; conversely, an ACL is composed of ACEs.
ACLs come in two flavors: 1) DACL (discretionary access control list) and SACL (system access control list). Keith Brown gives a great description of the two structures, in The .NET Developers Guide to Windows Security,
The discretionary access control list (DACL) contains a list of permissions granted or denied to various users and groups. The reason its called "discretionary" is that the owner of the object is always allowed to control its contents. Contrast this to the system access control list (SACL), over which the owner has no special control. In fact, the owner of an object isnt even allowed to read it. The SCAL is designed for use by security officers, and it specifies what actions will be audited by the system. I like to think of the SACL as the "Big Brother" bits.In usage, SACLs are great for tracking who accesses a file. They provide a way to keep track of who works with a given object. One thing to note is that ACLs are not stored in the object, but, rather in the $MFT (master file table). For example, using Access Datas FTK Imager, you can see, below, two permission sets: 1) Take ownership and 2) Full permission.
Full permissions - explorer properties
Full permissions - FTK Imager ($MFT) view
Take ownership - explorer properties
Take ownership - FTK Imager ($MFT) view
When you start working with PowerShell, the Access Masks are displayed in terms of .NET enumerations. Below is a quick example to create a new file and return the SACL (Audit) permissions of the file listed above.
When I run this I get the following output in PowerShell:# Start afreshClear-Host# Create new directory if it doesnt already existif(!(Test-Path ($path = C: est))){md $path}# Pipe dir contents to test.logdir C: > ($file = "$path est.log")# Get ACL information for new fileGet-Acl $file -Audit | select *
What is important to note here is the Sddl values. For more information on SDDL, check out this link:PSPath : Microsoft.PowerShell.CoreFileSystem::C: est est.logPSParentPath : Microsoft.PowerShell.CoreFileSystem::C: estPSChildName : test.logPSDrive : CPSProvider : Microsoft.PowerShell.CoreFileSystemAudit : {}AccessToString : BUILTINAdministrators Allow FullControlNT AUTHORITYSYSTEM Allow FullControlBUILTINUsers Allow ReadAndExecute, SynchronizeNT AUTHORITYAuthenticated Users Allow Modify, SynchronizeAuditToString :Path : Microsoft.PowerShell.CoreFileSystem::C: est est.logOwner : BUILTINAdministratorsGroup : DOMAINDomain UsersAccess : {System.Security.AccessControl.FileSystemAccessRule, System.Security.Ac cessControl.FileSystemAccessRule, System.Security.AccessControl.FileSys temAccessRule, System.Security.AccessControl.FileSystemAccessRule}Sddl : O:BAG:DUD:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)S:AI(AU;SA;WO;;;S-1-5-21-1234567890-1234567890 -1234567890 -1000)AccessRightType : System.Security.AccessControl.FileSystemRightsAccessRuleType : System.Security.AccessControl.FileSystemAccessRuleAuditRuleType : System.Security.AccessControl.FileSystemAuditRuleAreAccessRulesProtected : FalseAreAuditRulesProtected : FalseAreAccessRulesCanonical : TrueAreAuditRulesCanonical : True
Understanding SDDL SyntaxAs I start playing around with Get-Acl and the various options I wanted to know what all was available to work with, so, I did a Get-Member:
Theres quite a bit to work with, so, I decide to try and map out some options in order to figure out how to manually create a SACL. This link helps me get a few starting steps:Get-Acl C: est est.log |Get-Member |ft name,membertype -AutoSizeName MemberType---- ----------Access CodePropertyGroup CodePropertyOwner CodePropertyPath CodePropertySddl CodePropertyAccessRuleFactory MethodAddAccessRule MethodAddAuditRule MethodAuditRuleFactory MethodEquals MethodGetAccessRules MethodGetAuditRules MethodGetGroup MethodGetHashCode MethodGetOwner MethodGetSecurityDescriptorBinaryForm MethodGetSecurityDescriptorSddlForm MethodGetType MethodModifyAccessRule MethodModifyAuditRule MethodPurgeAccessRules MethodPurgeAuditRules MethodRemoveAccessRule MethodRemoveAccessRuleAll MethodRemoveAccessRuleSpecific MethodRemoveAuditRule MethodRemoveAuditRuleAll MethodRemoveAuditRuleSpecific MethodResetAccessRule MethodSetAccessRule MethodSetAccessRuleProtection MethodSetAuditRule MethodSetAuditRuleProtection MethodSetGroup MethodSetOwner MethodSetSecurityDescriptorBinaryForm MethodSetSecurityDescriptorSddlForm MethodToString MethodPSChildName NotePropertyPSDrive NotePropertyPSParentPath NotePropertyPSPath NotePropertyPSProvider NotePropertyAccessRightType PropertyAccessRuleType PropertyAreAccessRulesCanonical PropertyAreAccessRulesProtected PropertyAreAuditRulesCanonical PropertyAreAuditRulesProtected PropertyAuditRuleType PropertyAccessToString ScriptPropertyAuditToString ScriptProperty
How to Handle NTFS Folder Permissions, Security Descriptors and ACLs in PowerShellTo get a more explicit breakdown of what I am working with currently, I run this command:
get-acl
0 comments:
Post a Comment