PowerShell v3 Adding SACL Auditing to a File

Security, in Windows, can be a pretty large, complex subject, particularly from a developers perspective. A few years ago I started exploring security, and, found some great resources. However, when I recently went to figure out how to add a SACL to a file for monitoring I came up short. So, the post below is an exploration of just what SACLs are and how to add them in Windows.

Security is controlled, in NTFS based file systems, on just a few key concepts. Two of the main concepts are: ACEs (access control entry) and ACLs (access control list). An ACE is a structure applied to an object indicated a specific right required by the object to be accessed. An ACL is a composite list of ACEs used to indicate the full permissions required/applied to an object. In short, an ACE belongs to an ACL; conversely, an ACL is composed of ACEs.

ACLs come in two flavors: 1) DACL (discretionary access control list) and SACL (system access control list). Keith Brown gives a great description of the two structures, in The .NET Developers Guide to Windows Security,
The discretionary access control list (DACL) contains a list of permissions granted or denied to various users and groups. The reason its called "discretionary" is that the owner of the object is always allowed to control its contents. Contrast this to the system access control list (SACL), over which the owner has no special control. In fact, the owner of an object isnt even allowed to read it. The SCAL is designed for use by security officers, and it specifies what actions will be audited by the system. I like to think of the SACL as the "Big Brother" bits.
In usage, SACLs are great for tracking who accesses a file. They provide a way to keep track of who works with a given object. One thing to note is that ACLs are not stored in the object, but, rather in the $MFT (master file table). For example, using Access Datas FTK Imager, you can see, below, two permission sets: 1) Take ownership and 2) Full permission.


Full permissions - explorer properties


Full permissions - FTK Imager ($MFT) view


Take ownership - explorer properties


Take ownership - FTK Imager ($MFT) view


When you start working with PowerShell, the Access Masks are displayed in terms of .NET enumerations. Below is a quick example to create a new file and return the SACL (Audit) permissions of the file listed above.
# Start afresh
Clear-Host

# Create new directory if it doesnt already exist
if(!(Test-Path ($path = C: est)))
{
      md $path
}

# Pipe dir contents to test.log
dir C: > ($file = "$path est.log")

# Get ACL information for new file
Get-Acl $file -Audit | select *
When I run this I get the following output in PowerShell:
PSPath                  : Microsoft.PowerShell.CoreFileSystem::C: est est.log
PSParentPath            : Microsoft.PowerShell.CoreFileSystem::C: est
PSChildName             : test.log
PSDrive                 : C
PSProvider              : Microsoft.PowerShell.CoreFileSystem
Audit                   : {}
AccessToString          : BUILTINAdministrators Allow  FullControl
                          NT AUTHORITYSYSTEM Allow  FullControl
                          BUILTINUsers Allow  ReadAndExecute, Synchronize
                          NT AUTHORITYAuthenticated Users Allow  Modify, Synchronize
AuditToString           :
Path                    : Microsoft.PowerShell.CoreFileSystem::C: est est.log
Owner                   : BUILTINAdministrators
Group                   : DOMAINDomain Users
Access                  : {System.Security.AccessControl.FileSystemAccessRule, System.Security.Ac                          cessControl.FileSystemAccessRule, System.Security.AccessControl.FileSys                          temAccessRule, System.Security.AccessControl.FileSystemAccessRule}
Sddl                    : O:BAG:DUD:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)S:AI(AU;SA;WO;;;S-1-5-21-1234567890-1234567890 -1234567890 -1000)
AccessRightType         : System.Security.AccessControl.FileSystemRights
AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule
AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule
AreAccessRulesProtected : False
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True
What is important to note here is the Sddl values. For more information on SDDL, check out this link:
Understanding SDDL Syntax
As I start playing around with Get-Acl and the various options I wanted to know what all was available to work with, so, I did a Get-Member:
Get-Acl C: est est.log |
Get-Member |
ft name,membertype -AutoSize

Name                                MemberType
----                                ----------
Access                            CodeProperty
Group                             CodeProperty
Owner                             CodeProperty
Path                              CodeProperty
Sddl                              CodeProperty
AccessRuleFactory                       Method
AddAccessRule                           Method
AddAuditRule                            Method
AuditRuleFactory                        Method
Equals                                  Method
GetAccessRules                          Method
GetAuditRules                           Method
GetGroup                                Method
GetHashCode                             Method
GetOwner                                Method
GetSecurityDescriptorBinaryForm         Method
GetSecurityDescriptorSddlForm           Method
GetType                                 Method
ModifyAccessRule                        Method
ModifyAuditRule                         Method
PurgeAccessRules                        Method
PurgeAuditRules                         Method
RemoveAccessRule                        Method
RemoveAccessRuleAll                     Method
RemoveAccessRuleSpecific                Method
RemoveAuditRule                         Method
RemoveAuditRuleAll                      Method
RemoveAuditRuleSpecific                 Method
ResetAccessRule                         Method
SetAccessRule                           Method
SetAccessRuleProtection                 Method
SetAuditRule                            Method
SetAuditRuleProtection                  Method
SetGroup                                Method
SetOwner                                Method
SetSecurityDescriptorBinaryForm         Method
SetSecurityDescriptorSddlForm           Method
ToString                                Method
PSChildName                       NoteProperty
PSDrive                           NoteProperty
PSParentPath                      NoteProperty
PSPath                            NoteProperty
PSProvider                        NoteProperty
AccessRightType                       Property
AccessRuleType                        Property
AreAccessRulesCanonical               Property
AreAccessRulesProtected               Property
AreAuditRulesCanonical                Property
AreAuditRulesProtected                Property
AuditRuleType                         Property
AccessToString                  ScriptProperty
AuditToString                   ScriptProperty
Theres quite a bit to work with, so, I decide to try and map out some options in order to figure out how to manually create a SACL. This link helps me get a few starting steps:
How to Handle NTFS Folder Permissions, Security Descriptors and ACLs in PowerShell 
To get a more explicit breakdown of what I am working with currently, I run this command:
get-acl

Related Posts by Categories

0 comments:

Post a Comment