Professional Documents
Culture Documents
PERMISSIONS
The Good,
The Bad & The Ugly
Contents SysAdmin Magazine August 2019
SysAdmin Contents
Magazine
№ 51 August ‘19 05
09
Privileged access management in Windows Server
SysAdmin Magazine is a free 12 How to manage file System ACLs with PowerShell scripts
source of knowledge for IT Pros
who are eager to keep a tight 20 Manage SharePoint permissions like a pro
grip on network security and do
the job faster.
25 How to: Detect users who have direct permissions on your file servers
2
Contents SysAdmin Magazine August 2019
What Is the Definition company’s servers, which introduces unnecessary risk. For
instance, the primary admin might inadvertently made an
Principle of Least
The principle of least privilege, or “principle of least authori- improper change to an email server, or an email admin’s
ty,” is a security best practice that requires limiting privileg- account might be hacked, which would give the attacker
es to the minimum necessary to perform the job or task. access to all servers in the company. With least privilege,
(POLP), provide the definition and use cases, and explain the helps improve security tellers must request that designated managers get them
additional cash from the vault when needed.
importance of the principle. Like many other security princi-
To illustrate the value of enforcing the principle of least
ples and concepts, this principle is one part of a larger securi- ▪▪ Application. Some software applications need to mod-
privilege, let’s walk through a few scenarios:
ty strategy that aims at mitigating the risk of security breach. ify particular files and folders. Without the principle of
ferences between junior and senior positions, we took time ▪▪ IT administrator. Suppose an organization has a prima- least privilege, the application might run under a service
to look at various job boards. Here we offer the job descrip- ry administrator who is responsible for deploying and account that has administrative rights to the application
tion for a senior sysadmin that companies are commonly managing most of its Windows servers. However, some servers — enabling an attacker who compromises the ap-
looking for today, along with a few other details that can help teams, such as the email team, manage their own serv- plication to do serious damage. For stronger information
you to stand out when applying to more senior position. ers. If the organization does not enforce least privileges, security, the service account should be granted only read,
both the primary administrator and the email adminis- write or update access to the specific files and folders the
trators might be granted administrative access to all the application needs to modify.
3
Contents SysAdmin Magazine August 2019
These are just a few examples of how enforcing the prin- ▪▪ Perform periodic access reviews to ensure that the ▪▪ Log and monitor the activities of all account, es-
ciple of least privilege can reduce the risk of malicious be- principle of least privilege is being adhered to. It is pecially privileged accounts. You need to be able to
havior and errors, and minimize the ability of malware and common for both standard users and administrators to pinpoint when and how users authenticate, which tasks
attackers who compromise your accounts to access the change roles or change departments. What’s less com- they perform, and the specific changes they make in the
systems, data and resources in your network. mon is for their user access rights to be adjusted during environment.
such a change. Employees often build up a large set of
▪▪ Implement multi-factor authentication for IT admin-
privileges, especially if they are with a company for a long
istrative accounts. Require administrators to authenti-
time, and it’s important to remove unneeded privileges to
cate normally (such as with their ID and password) and
reduce risk to your systems and data.
Least Privilege best practices then complete a second step using a different authentica-
tion mechanism (such as a hardware token or fingerprint)
As you implement the principle of least privilege, keep the
each time they want to perform administrative tasks.
following best practices in mind:
4
Contents SysAdmin Magazine August 2019
Management in
plete. Best practices require assigning user rights in accor- do perform specific administrative tasks without giving them
dance with the principle of least privilege — each user should full administrative privileges. For instance, they might want to
have the minimum rights required to do their assigned tasks. enable IT operations personnel to reset user passwords but
Windows Server This limits the damage the account owner can do, either in-
tentionally or accidentally, and also minimizes the reach of an
attacker who gains control of an account. The best practice
not create or delete accounts. To help, Microsoft Windows
Server 2016 offers the Delegation of Control wizard, which
enables you to delegate the following privileges :
is to assign users right by adding them to groups that have
▪▪ Create, delete, and manage user accounts
Jeff Melnick been assigned the appropriate permissions. You can also as-
IT Security Expert, Blogger sign user accounts rights directly, by assigning the account ▪▪ Reset user passwords and force password change at
the rights in Group Policy, but this is not recommended be- next logon
cause it makes it difficult to keep track of permissions and
▪▪ Read all user information
adhere to the least-privilege principle.
▪▪ Create, delete, and manage groups
Many organizations struggle to secure their systems be- Unfortunately, organizations tend to grant accounts more
▪▪ Change group membership
cause their Active Directory is already compromised. AD is privileges than they need because it’s convenient — it’s eas-
usually compromised by insiders or successful attacks on ier to add an account to the local Administrators group on a ▪▪ Manage Group Policy links
them. So how to keep environment protected even when a computer, for instance, than it is to figure out the precise priv-
▪▪ Generate Resultant Set of Policy (Planning)
privileged your account got hacked? ileges that the account needs and add the user to the prop-
er groups. Lack of communication and standard procedures ▪▪ Generate Resultant Set of Policy (Logging)
Microsoft Windows Server 2016 has many great features also often results in failure to revoke privileges that users no
▪▪ Create, delete, and manage inetOrgPerson accounts
to help: longer need as they change roles within the organization. As
a result, these organizations are at unnecessary risk for data ▪▪ Reset inetOrgPerson passwords and force password
loss, downtime and compliance failures. change at next logon
5
Contents SysAdmin Magazine August 2019
Privileged Access Workstation (PAW) ▪▪ Block Remote Desktop Protocol (RDP), Windows Power-
Shell and management console connections from any
Just Enough Administration (JEA)
Another integral part of securing an environment is to en- computer that is not a PAW. Just Enough Administration is a new administrative tech-
sure that IT admins use only secure Windows servers for nology that enables you to apply role-based access control
▪▪ Configure sign-in restrictions for accounts that are used
tasks that require administrative privileges. They should (RBAC) principles through Windows PowerShell remote
to perform administrative actions.
use other machines for daily tasks, such as browsing the sessions. Instead of assigning users general roles that
Internet, responding to email, and opening files authored grant them more permissions than they need to do their
by other people, since those actions increase the risk of a jobs, you can use JEA to configure special Windows Power-
Jump servers
host being compromised. Shell endpoints that provide the functionality necessary to
A jump server is a special server that users connect to using perform a specific task: An authorized user can connect to
A Privileged Access Workstation (PAW), or secure admin- Remote Desktop when they want to perform administrative the endpoint and use a specific set of Windows PowerShell
istrative host, is a special computer that you use only for tasks. You should configure jump servers in a manner simi- cmdlets, parameters and parameter values. The tasks are
performing privileged tasks. To create a PAW, you must: lar to Privileged Access Workstations. The difference is that performed by a privileged virtual account, rather than the
instead of signing in locally, a member of the IT operations user’s account.
▪▪ Ensure that only authorized users can sign in to the host.
team makes a Remote Desktop connection to the jump serv-
▪▪ Use Device Guard and AppLocker policies to restrict appli- er and then signs in to the jump server with an account that The advantages of this approach include the following:
cation execution to trusted applications that your organi- has the required administrative permissions. The drawback
▪▪ The user’s credentials are not stored on the remote system.
zation’s employees use to perform administrative tasks. of jump servers is that the computer that makes the connec-
tion to a jump server might be compromised by malware be- ▪▪ The user account used to connect to the endpoint does
▪▪ Enable Windows Defender Credential Guard to help
cause you use it to browse the Internet, read email, open files not need to be privileged.
protect against credential theft.
and so on. In highly secure environments, you can use jump
▪▪ The virtual account is limited to the system on which it is
▪▪ Enable BitLocker to help protect the boot environment servers in conjunction with Privileged Access Workstations.
hosted.
and the hard disk drives from tampering.
▪▪ The virtual account has local administrator privileges but
▪▪ Ensure that PAW is blocked from accessing all external
is limited to performing only the activities defined by JEA.
sites by the perimeter network firewall.
6
Contents SysAdmin Magazine August 2019
▪▪ Use the Group Policy assigned to the Domain Controllers ▪▪ Locked-down accounts. Standard user accounts in the
Securing domain controllers OU to ensure that RDP connections can be made only ESAE forest can be configured as highly privileged in the
Domain controllers are one of the most valuable targets from jump servers and Privileged Access Workstations. production forest.
on a network; an attacker who compromise a DC has con-
▪▪ Configure the perimeter firewall to block outbound con- ▪▪ Selective authentication. Accounts in the ESAE forest
trol of all domain identities. To secure your DCs, consider
nections from domain controllers to the internet. can sign in only to specific hosts in the production forest.
taking the following steps:
▪▪ Simple way to improve security. Because privileged
▪▪ Ensure that all domain controllers run the most recent
administrative accounts are hosted in a separate for-
version of the Windows Server operating system and
est, it is easy to apply more stringent security require-
have current security updates.
7
Contents SysAdmin Magazine August 2019
You can use MIM to manage: • Manage the lifecycle of smart cards and certificates. for the account owner to accidentally or deliberately mis-
MIM provides tools for managing smart cards and cer- use the elevated privileges. JIT is implemented by granting
• Users
tificates, including certificate provisioning and renewal. the user temporary membership in a security group that
• Credentials
has the required privileges.
• Policies
• Role management and assignment. MIM helps you
• Access
manage RBAC functionality. When properly implemented, this approach can provide
• Certificates
the following security improvements:
• Privileged identities
• Password synchronization across directories. You
• All accounts that the IT Operations team uses are stan-
can synchronize passwords to other directories, includ-
dard user accounts.
ing Azure Active Directory (Azure AD).
MIM offers the following functionality: • All requests for privileges are logged.
• Privileges are temporary.
• Self-service password reset. Users can reset their • Privileged account management (PAM). Admins can
• Once privileges are granted, a user must establish a new
own forgotten passwords after they answer questions be assigned privileges on a temporary, rather than per-
session (either by opening a new Windows PowerShell
to verify their identity. manent, basis.
session or by signing out and signing in again) in order to
leverage the new temporary group memberships and the
• Self-service account lockout remediation. Users can • Analytics and compliance reporting. You can analyze
associated permissions.
unlock their accounts by answering questions to verify and report on all activity that MIM 2016.
their identity.
8
Contents SysAdmin Magazine August 2019
Differences What Are NTFS Permissions? ▪▪ Write — Users can write to a file and add files to directories.
Between Share
NTFS (New Technology File System) is the standard file
system for Microsoft Windows NT and later operating sys-
tems; NTFS permissions are used to manage access to data
and NTFS stored in NTFS file systems. The main advantages of NTFS
share permissions are that they affect both local users and
What Are Share Permissions?
Permissions
network users and that they are based on the permissions Share permissions manage access to folders shared over a
granted to an individual user at the Windows logon, re- network; they don’t apply to users who log on locally. Share
gardless of where the user is connecting from. permissions apply to all files and folders in the share; you
There are both basic and advanced NTFS permissions. You cannot granularly control access to subfolders or objects
can set each of the permissions to “Allow” or “Deny” to con- on a share. You can specify the number of users who are
Adam Stetson trol access to NTFS objects. Here are the basic types of ac- allowed to access the shared folder. Share permissions
Systems Engineer, Security Expert
cess permissions: can be used with NTFS, FAT and FAT32 file systems.
▪▪ Full Control — Users can add, modify, move and delete There are three types of share permissions: Full Control,
files and directories, as well as their associated proper- Change and Read. You can set each of them to “Deny” or
ties. In addition, users can change permissions settings “Allow” to control access to shared folders or drives:
NTFS and share permissions are both often used in Mi- for all files and subdirectories.
crosoft Windows environments. While share and NTFS ▪▪ Read — Users can view file and subfolder names, read
permissions both serve the same purpose — preventing ▪▪ Modify — Users can view and modify files and file prop- data in files, and run programs. By default, the “Every-
unauthorized access — there are important differences to erties, including adding files to or deleting files from a one” group is assigned “Read” permissions.
understand before you determine how to best perform a directory, or file properties to or from a file.
task like sharing a folder. Here are the key differences be- ▪▪ Change — Users can do everything allowed by the
tween share and NTFS permissions, along with some rec- ▪▪ Read & Execute — Users can run executable files, in- “Read” permission, as well as add files and subfolders,
ommendations for when and how to use each of them. cluding scripts. change data in files, and delete subfolders and files.
This permission is not assigned by default.
▪▪ Read — Users can view files, file properties and directories.
9
Contents SysAdmin Magazine August 2019
10
Contents SysAdmin Magazine August 2019
NTFS
real time, as well as facilitate regular attestation for all
folder individually.
user permissions.
11
Contents SysAdmin Magazine August 2019
PowerShell Scripts
can set each of the permissions to “Allow” or “Deny”. Here
are the basic permissions:
▪▪ List Folder/Read Data: Users can view a list of files and
▪▪ Full Control: Users can modify, add, move and delete subfolders within the folder as well as the content of the
files and directories, as well as their associated proper- files.
Jeff Melnick ties. In addition, users can change permissions settings
IT Security Expert, Blogger for all files and subdirectories. ▪▪ Read Attributes: Users can view the attributes of a file or
folder, such as whether it is read-only or hidden.
▪▪ Modify: Users can view and modify files and file prop-
erties, including deleting and adding files to a directory ▪▪ Write Attributes: Users can change the attributes of a file
Many organizations with a Microsoft Windows environ-
or file properties to a file. or folder.
ment rely on NTFS as the main file system for their storage
devices that contain sensitive data. It is the easiest way for
▪▪ Read & Execute: Users can run executable files, includ- ▪▪ Read Extended Attributes: Users can view the extended
users to work with files. In order to implement a least-priv-
ing script. attributes of a file or folder, such as permissions and cre-
ilege model, which is a best practice for system security,
ation and modification times.
IT security specialists and system administrators configure
▪▪ Read: Users can view files, file properties and directories.
NTFS access control lists (ACLs) by adding access control
▪▪ Write Extended Attributes: Users can change the ex-
entries (ACEs) on NTFS file servers.
▪▪ Write: Users can write to a file and add files to directories. tended attributes of a file or folder.
12
Contents SysAdmin Magazine August 2019
isting content. (This permission applies to files only.) in the signaled state. This right is not presented in ACL
Editor. You can read more about it here.
Get ACL for Files and Folders
▪▪ Create Folders/Append Data: The “Create Folders” per- The first PowerShell cmdlet used to manage file and folder
mission allows users to create folders within a folder. You can find all these user permissions by running the fol- permissions is “get-acl”; it lists all object permissions. For
(This permission applies to folders only.) The “Append lowing PowerShell script: example, let’s get the list of all permissions for the folder
Data” permission allows users to make changes to the with the object path “\\fs1\shared\sales”:
end of the file, but they can’t change, delete or overwrite [system.enum]::getnames([System.Security.
existing data. (This permission applies to files only.) AccessControl.FileSystemRights]) get-acl \\fs1\shared\sales | fl
▪▪ Delete: Users can delete the file or folder. (If users don’t NTFS permissions can be either explicit or inherited. Explic-
have the “Delete” permission on a file or folder, they it permissions are permissions that are configured individ-
can still delete it if they have the “Delete Subfolders And ually, while inherited permissions are inherited from the
Files” permission on the parent folder.) parent folder. The hierarchy for permissions is as follows:
▪▪ Explicit Deny
▪▪ Read Permissions: Users can read the permissions of a
▪▪ Explicit Allow
file or folder, such as “Full Control”, “Read”, and “Write”.
▪▪ Inherited Deny
▪▪ Inherited Allow If you want to get a full NTFS permissions report via Pow-
▪▪ Change Permissions: Users can change the permis-
erShell, you can follow this easy how-to about exporting
sions of a file or folder. Now that we know NTFS permissions are, let’s explore how
NTFS permissions to CSV.
to manage them.
▪▪ Take Ownership: Users can take ownership of the
file or folder. The owner of a file or folder can always
change permissions on it, regardless of any existing
permissions that protect the file or folder.
Copy File and Folder Permissions
▪▪ Synchronize: Users can use the object for synchroni- To copy permissions, a user must own both the source and
zation. This enables a thread to wait until the object is target folders. The following command will copy the per-
missions from the “Accounting” folder to the “Sales” folder:
13
Contents SysAdmin Magazine August 2019
$acl.SetAccessRule($AccessRule)
As we can see from the output of the “get-acl” commands before and after the permissions copy, the “Sales” shared folder per-
missions have been changed.
14
Contents SysAdmin Magazine August 2019
If you want to set other permissions to users or security groups, choose them from the table below:
Delete Delete
15
Contents SysAdmin Magazine August 2019
There are also permissions sets of basic access rights that can be applied:
Access Right Access Right’s Name in PowerShell Name of the Set in PowerShell
Read Attributes
Read Permissions
Read Attributes
Read Permissions
Read Attributes
Write Attributes
Delete
Read Permissions
16
Contents SysAdmin Magazine August 2019
$acl.RemoveAccessRule($AccessRule)
Notice that T.Simpson still has the “Deny FullControl” permission. To remove it, let’s use the command “PurgeAccessRules”,
$acl | Set-Acl \\fs1\shared\sales which will completely wipe T.Simpson’s permissions to the “Sales” folder:
$acl.PurgeAccessRules($usersid)
17
Contents SysAdmin Magazine August 2019
$acl.SetAccessRuleProtection($true,$false)
Note that “PurgeAccessRules” doesn’t work with a string user name; it works only with SIDs. Therefore, we used the “Ntaccount”
class to convert the user account name from a string into a SID. Also note that “PurgeAccessRules” works only with explicit per-
missions; it does not purge inherited ones.
▪▪ The first parameter is responsible for blocking inheritance from the parent folder. It has two states: “$true” and “$false”. Let’s revert this change and enable inheritance for the
folder “Sales” again:
▪▪ The second parameter determines whether the current inherited permissions are retained or removed. It has the same two
states: “$true” and “$false”.
18
Contents SysAdmin Magazine August 2019
Notice that we again used the “Ntaccount” class to convert the user account name from a string into a SID.
Note that the “SetOwner” method does not enable you to change the owner to any account you want; the account must have
the “Take Ownership”, “Read” and “Change Permissions” rights.
As you can see, it is very easy to manage NTFS permissions with PowerShell. But don’t forget to audit NTFS permissions as well
Change File and Folder Ownership — it’s critical for security to track all changes made to your file servers in order to reduce data leakage and combat the insider
threat and other IT security risks.
If you want to set an owner for a folder, you need to run the
“SetOwner” method. Let’s make “ENTERPRISE\J.Carter” the
owner of the “Sales” folder:
19
Contents SysAdmin Magazine August 2019
Pro
user is who they claim to be) and authorization (deter- assigned to the following entities:
mining what the user should have access to). SharePoint
performs the authorization, but it does not perform any • Active Directory groups
authentication; it relies on the underlying Internet Infor- • Roles provided by Forms Based Authentication
mation Services (IIS) and authentication providers to han- • SAML attributes
Liam Cleary dle that. • SharePoint groups
Security expert, Microsoft MVP
• A specific user (though best practices recommend not
Since SharePoint 2010, the standard authentication has assigning permissions at this level in SharePoint)
been claims-based authentication. There are different
types of claims-based authentication; the industry stan-
As an IT or SharePoint administrator, you have to manage dards are WS-Federation, Security Assertion Markup Lan-
the security of your farm, including properly provisioning guage (SAML) and OAuth. However, Microsoft baked into
the service accounts and end users that require access to
SharePoint. Here, we explore how permissions in Share-
SharePoint a claims engine, the Security Token Service
(STS), which can understand many different authentication
Objects that permissions can be
Point work and best practices for using them to maximize approaches. Out of the box, SharePoint supports stan- granted for
SharePoint security and adoption. dard Windows Authentication (NTLM, Basic and Kerberos),
SharePoint supports permissions for many kinds of ob-
Forms Based Authentication (FBA) and SAML.
jects:
• Farm
• Service application
• Web application
• Site collection
• Site
20
Contents SysAdmin Magazine August 2019
• List cially in the absence of a third-party rights management solution. If custom item-level permissions are the only option to meet the
• Library business need, then administrators should limit their use to particular locations and create a strict workflow around it, document-
• Folder ing and reviewing when item level permissions were granted or changed and who did it.
• Item
21
Contents SysAdmin Magazine August 2019
Understanding SharePoint • The Contribute permission level includes all the per-
missions in the Read level plus View, Add, Update, De-
missions” and click on the “Permission Levels”menu. To
customize an existing permission level, click its name on
authentication and authorization lete, Versions, Browse Directories, Edit User Informa- the “Permission Levels” page. On the “Edit Permission Lev-
tion, Manage Personal Views, Add, Update or Remove el” page, change the description and add or remove per-
Web Parts. missions as you require.
Default permissions levels
SharePoint uses permission levels to control access to ob- • The Full Control permission includes all the sub-per- Creating a new custom permission level from scratch
jects. There are ten default permissions levels: missions for Read and Contribute, plus extras.
To create a new custom permission level, you must be
logged in as a SharePoint Farm Administrator, Site Collec-
• Full Control Normally, end users are assigned Contribute access to the
tion Administrator or Site Owner. Navigate to the “Site Set-
• Contribute private sites they actively use and View Only access to ev-
tings” page and click on “Site Permissions”. Next, click on
• Read erything else.
the “Permission Levels” menu item:
• Design
• Edit
• Limited Access Custom permissions levels
• Approve
SharePoint does not include every permission level an or-
• Manage Hierarchy
ganization might require, so it enables you to customize
• Restricted Read
the permissions levels and create new ones, either from
• View Only
scratch or by cloning an existing permission level and mak-
ing permissions changes. Having tailored granular permis-
Each permission level is a container for individual permis-
sions sets enables you to better control what end users
sions. For example:
can do in a way without all the complications and risks of
assigning permissions directly to individual users.
• The Read permission level includes these permissions:
Open, View, Versions, Page, Application Pages, User In- On the “Add a Permission Level” page, enter the name of the
formation, Create Alerts, Self-Service Site Creation, Re- new permission level and a description. Then select the check
Customizing an existing permission level
mote Interfaces and UseClient Integration Features. boxes next to the list, site and personal permissions that you
Navigate to the “Site Settings” page and click on “Site Per- want the new permission level to include. Last, click “Create”.
22
Contents SysAdmin Magazine August 2019
Then click the “Copy permission level” button, name the new permission level, modify it as needed, and then save it.
23
Contents SysAdmin Magazine August 2019
24
Contents SysAdmin Magazine August 2019
}
$search_folder = "\\share\path\" }
}
$out_file = "C:\temp\directpermissionsexport.
csv"
2. Specify the parameters below and run the script:
$out_error = "C:\temp\errors.csv"
try {
$acl = Get-Acl $item.fullname
25
Contents SysAdmin Magazine August 2019
This freeware tool helps you make sure that employees’ permissions correspond to their roles in your organization
by showing who has permissions to what in Active Directory and file shares.
Effective
Permissions
Reporting Tool
Download Free Tool
26
[On-Demand Webinar]
4 Handy PowerShell Watch the technical session about managing file systems with
PowerShell as Russell Smith shares commands that enable you
Commands for Managing the to get a permissions report, audit permissions changes on a file
server and find over-permissioned folders.
File System
Watch Now
Russell Smith
Data Security Expert, IT Consultant
Corporate Headquarters: Phone: 1-949-407-5125 Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or
300 Spectrum Center Drive, Toll-free: 888-638-9749 one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other
Suite 200 Irvine, CA 92618 EMEA: +44 (0) 203-318-02 countries. All other trademarks and registered trademarks are the property of their respective owners.