SysAdmin Magazine

PERMISSIONS

The Good,
The Bad & The Ugly
 Contents SysAdmin Magazine August 2019

SysAdmin Contents
Magazine

03 What is the principle of Least Privilege?

№ 51 August ‘19 05

09
Privileged access management in Windows Server

Differences between share and NTFS permissions

SysAdmin Magazine is a free 12 How to manage file System ACLs with PowerShell scripts
source of knowledge for IT Pros
who are eager to keep a tight 20 Manage SharePoint permissions like a pro
grip on network security and do
the job faster.
25 How to: Detect users who have direct permissions on your file servers

26 Free tool of the month: Effective Permissions Reporting Tool

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 Contents
What Is the
Principle of Least
Privilege?
Brian Svidergol
Active Directory and Cybersecurity Expert
In this article, we will explain the principle of least privilege
(POLP), provide the definition and use cases, and explain the
importance of the principle. Like many other security princi-
ples and concepts, this principle is one part of a larger securi-
ty strategy that aims at mitigating the risk of security breach.
ferences between junior and senior positions, we took time
to look at various job boards. Here we offer the job descrip-
tion for a senior sysadmin that companies are commonly
looking for today, along with a few other details that can help
you to stand out when applying to more senior position.
3
Definition
The principle of least privilege, or “principle of least authori-
ty,” is a security best practice that requires limiting privileg-
es to the minimum necessary to perform the job or task.
IT administrators often think about this principle in terms
of the access rights for user accounts, admin rights and
computer security settings. However, the security principle
of least privilege has broader applicability, including orga-
▪▪ Retail bank. Most banks have employees working in vari-
nization-wide access controls and physical security, and
even scenarios outside of the workplace.
Examples of how least privilege
helps improve security
To illustrate the value of enforcing the principle of least
▪▪ Application. Some software applications need to mod-
privilege, let’s walk through a few scenarios:
▪▪ IT administrator. Suppose an organization has a prima-
ry administrator who is responsible for deploying and
managing most of its Windows servers. However, some
teams, such as the email team, manage their own serv-
ers. If the organization does not enforce least privileges,
both the primary administrator and the email adminis-
trators might be granted administrative access to all the
SysAdmin Magazine August 2019
company’s servers, which introduces unnecessary risk. For
instance, the primary admin might inadvertently made an
improper change to an email server, or an email admin’s
account might be hacked, which would give the attacker
access to all servers in the company. With least privilege,
on the other hand, each admin is granted access to only
the specific servers they need to manage, limiting the risk
of accidental or deliberate damage.
ous capacities, such as tellers, managers and financial ad-
visors. Without least privilege in place, the bank might al-
low tellers to access the vault whenever their cash drawer
runs low, which increases risk of theft and errors. Limiting
access to secure areas like the vault in accordance with
principle of least privilege reduces that risk — in that case,
tellers must request that designated managers get them
additional cash from the vault when needed.
ify particular files and folders. Without the principle of
least privilege, the application might run under a service
account that has administrative rights to the application
servers — enabling an attacker who compromises the ap-
plication to do serious damage. For stronger information
security, the service account should be granted only read,
write or update access to the specific files and folders the
application needs to modify.
 Contents SysAdmin Magazine August 2019

These are just a few examples of how enforcing the prin-
ciple of least privilege can reduce the risk of malicious be-
havior and errors, and minimize the ability of malware and
attackers who compromise your accounts to access the
systems, data and resources in your network.
Least Privilege best practices
As you implement the principle of least privilege, keep the
following best practices in mind:
▪▪ Perform periodic access reviews to ensure that the
principle of least privilege is being adhered to. It is
common for both standard users and administrators to
change roles or change departments. What’s less com-
mon is for their user access rights to be adjusted during
such a change. Employees often build up a large set of
privileges, especially if they are with a company for a long
time, and it’s important to remove unneeded privileges to
reduce risk to your systems and data.
▪▪ Log and monitor the activities of all account, es-
pecially privileged accounts. You need to be able to
pinpoint when and how users authenticate, which tasks
they perform, and the specific changes they make in the
environment.
▪▪ Implement multi-factor authentication for IT admin-
istrative accounts. Require administrators to authenti-
cate normally (such as with their ID and password) and
then complete a second step using a different authentica-
tion mechanism (such as a hardware token or fingerprint)
each time they want to perform administrative tasks.

▪▪ Minimize account privileges based on the require- Related best practices

ments of the tasks or job. All users should have a
As we have seen, the principle of least privilege is one im-
least-privileged user account, which can only do what the BEST PRACTICE
portant way to reduce your overall attack surface area and
user is required to do as part of their job.
enhance security. However, it’s essential to remember that
▪▪ Minimize privileges for non-human accounts such
as service accounts. Review vendor documentation to
a policy of least privilege by itself is not sufficient for strong
access management. Here are some other key best prac-
Guide
understand the minimum privileged required by each
application — and if it says administrative access to the
tices that will help round out your security strategy:
to Implementing the
application server is needed, proceed with caution. It is a
▪▪ Have administrators use separate accounts based
on the task they are performing. For example, ad-
Least Privilege Principle
good practice to implement the application in a test en-
mins should use a user account with standard privileg-
vironment where you can try various configurations. I’ve
es to read email and browse the internet, and log on
seen some vendors say administrative access is required Free Download
with credentials that grant elevated privilege only when
when lesser permissions will work.
they need to perform IT administrative tasks.

4
 Contents SysAdmin Magazine August 2019

User Rights Delegation of Control wizard

Privileged Access User rights determine which tasks a user account can com- Organizations often want to enable certain staff members to

Management in
plete. Best practices require assigning user rights in accor- do perform specific administrative tasks without giving them
dance with the principle of least privilege — each user should full administrative privileges. For instance, they might want to
have the minimum rights required to do their assigned tasks. enable IT operations personnel to reset user passwords but

Windows Server
Jeff Melnick
IT Security Expert, Blogger
Many organizations struggle to secure their systems be-
cause their Active Directory is already compromised. AD is
usually compromised by insiders or successful attacks on
them. So how to keep environment protected even when a
privileged your account got hacked?
Microsoft Windows Server 2016 has many great features
to help:
This limits the damage the account owner can do, either in-
tentionally or accidentally, and also minimizes the reach of an
attacker who gains control of an account. The best practice
not create or delete accounts. To help, Microsoft Windows
Server 2016 offers the Delegation of Control wizard, which
enables you to delegate the following privileges :
is to assign users right by adding them to groups that have
▪▪ Create, delete, and manage user accounts
been assigned the appropriate permissions. You can also as-
sign user accounts rights directly, by assigning the account ▪▪ Reset user passwords and force password change at
the rights in Group Policy, but this is not recommended be- next logon
cause it makes it difficult to keep track of permissions and
▪▪ Read all user information
adhere to the least-privilege principle.
▪▪ Create, delete, and manage groups
Unfortunately, organizations tend to grant accounts more
▪▪ Change group membership
privileges than they need because it’s convenient — it’s eas-
ier to add an account to the local Administrators group on a ▪▪ Manage Group Policy links
computer, for instance, than it is to figure out the precise priv-
▪▪ Generate Resultant Set of Policy (Planning)
ileges that the account needs and add the user to the prop-
er groups. Lack of communication and standard procedures ▪▪ Generate Resultant Set of Policy (Logging)
also often results in failure to revoke privileges that users no
▪▪ Create, delete, and manage inetOrgPerson accounts
longer need as they change roles within the organization. As
a result, these organizations are at unnecessary risk for data ▪▪ Reset inetOrgPerson passwords and force password
loss, downtime and compliance failures. change at next logon

▪▪ Read all inetOrgPerson information

5
 Contents
Privileged Access Workstation (PAW)
Another integral part of securing an environment is to en-
sure that IT admins use only secure Windows servers for
tasks that require administrative privileges. They should
use other machines for daily tasks, such as browsing the
Internet, responding to email, and opening files authored
by other people, since those actions increase the risk of a
host being compromised.
A Privileged Access Workstation (PAW), or secure admin-
istrative host, is a special computer that you use only for
performing privileged tasks. To create a PAW, you must:
▪▪ Ensure that only authorized users can sign in to the host.
▪▪ Use Device Guard and AppLocker policies to restrict appli-
cation execution to trusted applications that your organi-
zation’s employees use to perform administrative tasks.
▪▪ Enable Windows Defender Credential Guard to help
protect against credential theft.
▪▪ Enable BitLocker to help protect the boot environment
and the hard disk drives from tampering.
▪▪ Ensure that PAW is blocked from accessing all external
sites by the perimeter network firewall.
6
▪▪ Block Remote Desktop Protocol (RDP), Windows Power-
Shell and management console connections from any
computer that is not a PAW.
▪▪ Configure sign-in restrictions for accounts that are used
to perform administrative actions.
Jump servers
A jump server is a special server that users connect to using
Remote Desktop when they want to perform administrative
tasks. You should configure jump servers in a manner simi-
lar to Privileged Access Workstations. The difference is that
instead of signing in locally, a member of the IT operations
team makes a Remote Desktop connection to the jump serv-
er and then signs in to the jump server with an account that
has the required administrative permissions. The drawback
of jump servers is that the computer that makes the connec-
tion to a jump server might be compromised by malware be-
cause you use it to browse the Internet, read email, open files
and so on. In highly secure environments, you can use jump
servers in conjunction with Privileged Access Workstations.
SysAdmin Magazine August 2019
Just Enough Administration (JEA)
Just Enough Administration is a new administrative tech-
nology that enables you to apply role-based access control
(RBAC) principles through Windows PowerShell remote
sessions. Instead of assigning users general roles that
grant them more permissions than they need to do their
jobs, you can use JEA to configure special Windows Power-
Shell endpoints that provide the functionality necessary to
perform a specific task: An authorized user can connect to
the endpoint and use a specific set of Windows PowerShell
cmdlets, parameters and parameter values. The tasks are
performed by a privileged virtual account, rather than the
user’s account.
The advantages of this approach include the following:
▪▪ The user’s credentials are not stored on the remote system.
▪▪ The user account used to connect to the endpoint does
not need to be privileged.
▪▪ The virtual account is limited to the system on which it is
hosted.
▪▪ The virtual account has local administrator privileges but
is limited to performing only the activities defined by JEA.
 Contents
Securing domain controllers
Domain controllers are one of the most valuable targets
on a network; an attacker who compromise a DC has con-
trol of all domain identities. To secure your DCs, consider
taking the following steps:
▪▪ Ensure that all domain controllers run the most recent
version of the Windows Server operating system and
have current security updates.
▪▪ Deploy domain controllers using the “Server Core” instal-
lation option rather than the “Server with a Desktop” op-
tion.
▪▪ Keep physically deployed domain controllers in dedicat-
ed secure racks that are separate from other servers.
▪▪ Deploy domain controllers on hardware that includes a
Trusted Platform Module (TPM) chip, and configure all
volumes with BitLocker Drive Encryption.
▪▪ Run virtualized domain controllers either on separate
virtualization hosts or as shielded virtual machines on a
guarded fabric.
▪▪ Use Security Compliance Manager to apply configuration
baselines to domain controllers.
▪▪ Use AppLocker and Device Guard to control the execution
of executables and scripts on your domain controllers.
7
▪▪ Use the Group Policy assigned to the Domain Controllers
OU to ensure that RDP connections can be made only
from jump servers and Privileged Access Workstations.
▪▪ Configure the perimeter firewall to block outbound con-
nections from domain controllers to the internet.
Enhanced Security Administrative
Environment (ESAE) forests
An Enhanced Security Administrative Environment (ESAE)
forest, also called a “red forest,” is a special Active Directo-
ry forest that hosts privileged accounts. Putting privileged
accounts in an ESAE forest makes it easier to apply more
restrictive policies to protect them. An ESAE forest is con-
figured with a one-way trust relationship with a production
forest — accounts from the ESAE forest can be used in the
production forest, but accounts in the production forest
cannot be used in the ESAE forest. The production forest is
configured so that administrative tasks can be performed
there only by accounts hosted in the ESAE forest.
ESAE forests have the following benefits:
SysAdmin Magazine August 2019
▪▪ Locked-down accounts. Standard user accounts in the
ESAE forest can be configured as highly privileged in the
production forest.
▪▪ Selective authentication. Accounts in the ESAE forest
can sign in only to specific hosts in the production forest.
▪▪ Simple way to improve security. Because privileged
administrative accounts are hosted in a separate for-
est, it is easy to apply more stringent security require-
ments (such as requiring multifactor authentication)
to them than to the standard user accounts in the pro-
duction forest.
Microsoft Identity Manager (MIM)
Active Directory Domain Services (AD DS) allows you to
create, modify and delete user accounts, but provides very
few tools to automate lifecycle management of those ac-
counts. MIM is an on-premises identity and access man-
agement solution that fills that gap. For example, with
MIM, you can enable users to use a self-service portal to
reset their own passwords, and allow identity synchroniza-
tion between your on-premises identity stores and those
in cloud applications.
 Contents SysAdmin Magazine August 2019

You can use MIM to manage: • Manage the lifecycle of smart cards and certificates. for the account owner to accidentally or deliberately mis-
MIM provides tools for managing smart cards and cer- use the elevated privileges. JIT is implemented by granting
• Users
tificates, including certificate provisioning and renewal. the user temporary membership in a security group that
• Credentials
has the required privileges.
• Policies
• Role management and assignment. MIM helps you
• Access
manage RBAC functionality. When properly implemented, this approach can provide
• Certificates
the following security improvements:
• Privileged identities
• Password synchronization across directories. You
• All accounts that the IT Operations team uses are stan-
can synchronize passwords to other directories, includ-
dard user accounts.
ing Azure Active Directory (Azure AD).
MIM offers the following functionality: • All requests for privileges are logged.
• Privileges are temporary.
• Self-service password reset. Users can reset their • Privileged account management (PAM). Admins can
• Once privileges are granted, a user must establish a new
own forgotten passwords after they answer questions be assigned privileges on a temporary, rather than per-
session (either by opening a new Windows PowerShell
to verify their identity. manent, basis.
session or by signing out and signing in again) in order to
leverage the new temporary group memberships and the
• Self-service account lockout remediation. Users can • Analytics and compliance reporting. You can analyze
associated permissions.
unlock their accounts by answering questions to verify and report on all activity that MIM 2016.
their identity.

• Self-service user attribute management. Users can

update certain of their own Active Directory attributes,
such as their phone numbers. Just-in-time (JIT) administration
JIT administration is the idea of granting privileges to users
• Manage the lifecycle of Active Directory users and
when they need them to do a particular task, and only for
groups. MIM provides tools for managing groups and
a limited amount of time, rather than permanently. This
users that go beyond the creation, modification and de-
limits the usefulness of the accounts to an attacker who
letion functionality of AD DS.
compromises them, and also minimizes the opportunity

8
 Contents
Differences
Between Share
and NTFS
Permissions
Adam Stetson
Systems Engineer, Security Expert
NTFS and share permissions are both often used in Mi-
crosoft Windows environments. While share and NTFS
permissions both serve the same purpose — preventing
unauthorized access — there are important differences to
understand before you determine how to best perform a
task like sharing a folder. Here are the key differences be-
tween share and NTFS permissions, along with some rec-
ommendations for when and how to use each of them.
9
What Are NTFS Permissions?
NTFS (New Technology File System) is the standard file
system for Microsoft Windows NT and later operating sys-
tems; NTFS permissions are used to manage access to data
stored in NTFS file systems. The main advantages of NTFS
share permissions are that they affect both local users and
network users and that they are based on the permissions
granted to an individual user at the Windows logon, re-
gardless of where the user is connecting from.
There are both basic and advanced NTFS permissions. You
can set each of the permissions to “Allow” or “Deny” to con-
trol access to NTFS objects. Here are the basic types of ac-
cess permissions:
▪▪ Full Control — Users can add, modify, move and delete
files and directories, as well as their associated proper-
ties. In addition, users can change permissions settings
for all files and subdirectories.
▪▪ Modify — Users can view and modify files and file prop-
erties, including adding files to or deleting files from a
directory, or file properties to or from a file.
▪▪ Read & Execute — Users can run executable files, in-
cluding scripts.
▪▪ Read — Users can view files, file properties and directories.
SysAdmin Magazine August 2019
▪▪ Write — Users can write to a file and add files to directories.
What Are Share Permissions?
Share permissions manage access to folders shared over a
network; they don’t apply to users who log on locally. Share
permissions apply to all files and folders in the share; you
cannot granularly control access to subfolders or objects
on a share. You can specify the number of users who are
allowed to access the shared folder. Share permissions
can be used with NTFS, FAT and FAT32 file systems.
There are three types of share permissions: Full Control,
Change and Read. You can set each of them to “Deny” or
“Allow” to control access to shared folders or drives:
▪▪ Read — Users can view file and subfolder names, read
data in files, and run programs. By default, the “Every-
one” group is assigned “Read” permissions.
▪▪ Change  — Users can do everything allowed by the
“Read” permission, as well as add files and subfolders,
change data in files, and delete subfolders and files.
This permission is not assigned by default.
 Contents SysAdmin Magazine August 2019

▪▪ Full Control — Users can do everything allowed by the

“Read” and “Change” permissions, and they can also
change permissions for NTFS files and folders only. By
default, the “Administrators” group is granted “Full Con-
trol” permissions.
NTFS vs Share Permissions
Here are the key differences between NTFS and share per-
missions that you need to know:
▪▪ NTFS permissions apply to users who are logged on to
the server locally; share permissions don’t.
How to Change Share Permissions
To change share permissions:
▪▪ Unlike NTFS permissions, share permissions allow you
1. Right-click the shared folder.
to restrict the number of concurrent connections to a
2. Click “Properties”.
shared folder.
3. Open the “Sharing” tab.
4. Click “Advanced Sharing”.
▪▪ Share permissions are configured in the “Advanced
5. Click “Permissions”.
Sharing” properties in the “Permissions” settings. NTFS
permissions are configured on the Security tab in the
6. Select a user or group from the list.
7. Select either “Allow” or “Deny” for each of the settings.
file or folder properties.

▪▪ Share permissions are easy to apply and manage, but

NTFS permissions enable more granular control of a
shared folder and its contents.
▪▪ When share and NTFS permissions are used simulta-
neously, the most restrictive permission always wins.
For example, when the shared folder permission is set
to “Everyone Read Allow” and the NTFS permission is
set to “Everyone Modify Allow”, the share permission
applies because it is most restrictive; the user is not al-
lowed to change the files on the shared drive.
▪▪ Share permissions can be used when sharing folders
in FAT and FAT32 file systems; NTFS permissions can’t.
How to Change NTFS Permissions
To change NTFS permissions:
1. Open the “Security” tab.
2. In the folder’s “Properties” dialog box, click “Edit”.
3. Click on the name of the object you want to change per-
missions for.
4. Select either “Allow” or “Deny” for each of the settings.
5. Click “Apply” to apply the permissions.
Permissions Best Practices
▪▪ Assign permissions to groups, not user accounts —
Assigning permissions to groups simplifies manage-
ment of shared resources. If a user’s role changes, you
simply add them to the appropriate new groups and
remove them from any groups that are no longer rele-
vant.
▪▪ Enforce the principle of least privilege — Grant users
the permissions they need and nothing more. For ex-
ample, if a user needs to read the information in a fold-
er but never has a legitimate reason to delete, create,

10
 Contents SysAdmin Magazine August 2019

▪▪ Grant the “Administrators” group the “Full Control”

or change files, make sure they have only the “Read”
permission to the parent shared folder — This strategy
permission.
enables administrators to manage permissions, export Understanding the differences between Share and NTFS per-
access lists, and track changes to all permissions, files missions enables you to use them together to secure access
▪▪ Use only NTFS permissions for local users  — Share
and folders. to local and shared resources. Following the guidelines and
permissions apply only to users who access shared re-
best practices detailed here will further strengthen the secu-
sources over the network; they do not apply to users
▪▪ Keep a close eye on the membership of the “Admin- rity of your IT environment.
who log on locally.
istrators” group  — Users in this group have “Full Ac-
cess” permissions to all of your shared files and fold-
▪▪ Put objects with the same security requirements in the
ers. Therefore, you should carefully audit changes to its
same folder — For example, if users require the “Read”
membership, using either audit policy and the security GUIDE
permission for several folders that are used by one de-
event log, or third-party software solutions that can no-
partment, store those folders in the same parent folder
tify you about any changes to this powerful group in
and share that parent folder, rather than sharing each

NTFS
real time, as well as facilitate regular attestation for all
folder individually.
user permissions.

▪▪ Do not set the permissions for the “Everyone” group to

“Deny”  — The “Everyone” group includes anyone who
has access to shared folders, including the “Guest” ac-
count, with the exception of the “Anonymous Logon”
group.
▪▪ Avoid explicitly denying permissions to a shared re-
source — Normally, you should explicitly deny permis-
sions only when you want to override specific permis-
sions that are already assigned.
Permissions
Management Best
Using Just One Set of Permissions Practices
If you feel that working with two separate sets of permissions
is too complicated, you can use just NTFS share permissions. Free Download
Simply change the share permissions for the folder to “Full
Control,” and then you can make whatever changes you want
to the NTFS permissions without having to worry about the
file share permissions interfering with them.

11
 Contents SysAdmin Magazine August 2019

How to Manage File NTFS Permissions Types for Files and

Folders
they have no permissions for these files or folders. Users
can also run executable files. The Traverse Folder per-

System ACLs with

mission takes effect only when the group or user doesn’t
have the “Bypass Traverse Checking” right in the Group
There are both basic and advanced NTFS permissions. You
Policy snap-in.

PowerShell Scripts
can set each of the permissions to “Allow” or “Deny”. Here
are the basic permissions:
▪▪ List Folder/Read Data: Users can view a list of files and
▪▪ Full Control: Users can modify, add, move and delete subfolders within the folder as well as the content of the
files and directories, as well as their associated proper- files.
Jeff Melnick ties. In addition, users can change permissions settings
IT Security Expert, Blogger for all files and subdirectories. ▪▪ Read Attributes: Users can view the attributes of a file or
folder, such as whether it is read-only or hidden.
▪▪ Modify: Users can view and modify files and file prop-
erties, including deleting and adding files to a directory ▪▪ Write Attributes: Users can change the attributes of a file
Many organizations with a Microsoft Windows environ-
or file properties to a file. or folder.
ment rely on NTFS as the main file system for their storage
devices that contain sensitive data. It is the easiest way for
▪▪ Read & Execute: Users can run executable files, includ- ▪▪ Read Extended Attributes: Users can view the extended
users to work with files. In order to implement a least-priv-
ing script. attributes of a file or folder, such as permissions and cre-
ilege model, which is a best practice for system security,
ation and modification times.
IT security specialists and system administrators configure
▪▪ Read: Users can view files, file properties and directories.
NTFS access control lists (ACLs) by adding access control
▪▪ Write Extended Attributes: Users can change the ex-
entries (ACEs) on NTFS file servers.
▪▪ Write: Users can write to a file and add files to directories. tended attributes of a file or folder.

▪▪ Create Files/Write Data: The “Create Files” permission

Here is the list of advanced permissions:
allows users to create files within the folder. (This permis-
▪▪ Traverse Folder/Execute File: Users can navigate sion applies to folders only.) The “Write Data” permission
through folders to reach other files or folders, even if allows users to make changes to the file and overwrite ex-

12
 Contents
isting content. (This permission applies to files only.)
▪▪ Create Folders/Append Data: The “Create Folders” per-
mission allows users to create folders within a folder.
(This permission applies to folders only.) The “Append
Data” permission allows users to make changes to the
end of the file, but they can’t change, delete or overwrite
existing data. (This permission applies to files only.)
▪▪ Delete: Users can delete the file or folder. (If users don’t
have the “Delete” permission on a file or folder, they
can still delete it if they have the “Delete Subfolders And
Files” permission on the parent folder.)
▪▪ Read Permissions: Users can read the permissions of a
file or folder, such as “Full Control”, “Read”, and “Write”.
▪▪ Change Permissions: Users can change the permis-
sions of a file or folder.
▪▪ Take Ownership: Users can take ownership of the
file or folder. The owner of a file or folder can always
change permissions on it, regardless of any existing
permissions that protect the file or folder.
▪▪ Synchronize: Users can use the object for synchroni-
zation. This enables a thread to wait until the object is
13
SysAdmin Magazine August 2019
in the signaled state. This right is not presented in ACL
Editor. You can read more about it here.
Get ACL for Files and Folders
The first PowerShell cmdlet used to manage file and folder
You can find all these user permissions by running the fol- permissions is “get-acl”; it lists all object permissions. For
lowing PowerShell script: example, let’s get the list of all permissions for the folder
with the object path “\\fs1\shared\sales”:
[system.enum]::getnames([System.Security.
AccessControl.FileSystemRights]) get-acl \\fs1\shared\sales | fl
NTFS permissions can be either explicit or inherited. Explic-
it permissions are permissions that are configured individ-
ually, while inherited permissions are inherited from the
parent folder. The hierarchy for permissions is as follows:
▪▪ Explicit Deny
▪▪ Explicit Allow
▪▪ Inherited Deny
▪▪ Inherited Allow If you want to get a full NTFS permissions report via Pow-
erShell, you can follow this easy how-to about exporting
Now that we know NTFS permissions are, let’s explore how
NTFS permissions to CSV.
to manage them.
Copy File and Folder Permissions
To copy permissions, a user must own both the source and
target folders. The following command will copy the per-
missions from the “Accounting” folder to the “Sales” folder:
 Contents SysAdmin Magazine August 2019

get-acl \\fs1\shared\accounting | Set-Acl \\fs1\shared\sales Set File and Folder Permissions

The PowerShell “set-acl” cmdlet is used to change the se-
curity descriptor of a specified item, such as a file, folder
or a registry key; in other words, it is used to modify file
or folder permissions. The following script sets the “Full-
Control” permission to “Allow” for the user “ENTERPRISE\T.
Simpson” to the folder “Sales”:

$acl = Get-Acl \\fs1\shared\sales

$AccessRule = New-Object System.
Security.AccessControl.
FileSystemAccessRule("ENTERPRISE\T.
Simpson","FullControl","Allow")

$acl.SetAccessRule($AccessRule)

$acl | Set-Acl \\fs1\shared\sales

As we can see from the output of the “get-acl” commands before and after the permissions copy, the “Sales” shared folder per-
missions have been changed.

14
 Contents SysAdmin Magazine August 2019

If you want to set other permissions to users or security groups, choose them from the table below:

Access Right Access Right’s Name in PowerShell

Full Control FullControl

Traverse Folder / Execute File ExecuteFile

List Folder / Read Data ReadData

Read Attributes ReadAttributes

Read Extended Attributes ReadExtendedAttributes

Create Files / Write Data CreateFiles

Create Folders / Append Data AppendData

Write Attributes WriteAttributes

Write Extended Attributes WriteExtendedAttributes

Delete Subfolders and Files DeleteSubdirectoriesAndFiles

Delete Delete

Read Permissions ReadPermissions

15
 Contents SysAdmin Magazine August 2019

There are also permissions sets of basic access rights that can be applied:

Access Right Access Right’s Name in PowerShell Name of the Set in PowerShell

Read List Folder / Read Data Read

Read Attributes

Read Extended Attributes

Read Permissions

Write Create Files / Write Data Write

Create Folders / Append Data

Write Attributes Windows

Registry Tutorial
Write Extended Attributes

Read and Execute Traverse folder / Execute File ReadAndExecute

List Folder / Read Data

Read Attributes

Read Extended Attributes

Read Permissions

Modify Traverse folder / Execute File Modify

List Folder / Read Data

Read Attributes

Read Extended Attributes

Create Files / Write Data

Create Folders / Append Data

Write Attributes

Write Extended Attributes

Delete

Read Permissions

16
 Contents SysAdmin Magazine August 2019

Remove User Permissions

To remove a permission, use the “RemoveAccessRule” pa-
rameter. Let’s delete the “Allow FullControl” permission for
T.Simpson to the “Sales” folder:

$acl = Get-Acl \\fs1\shared\sales

$AccessRule = New-Object System.Security.

AccessControl.FileSystemAccessRule("ENTER-
PRISE\T.Simpson","FullControl","Allow")

$acl.RemoveAccessRule($AccessRule)
Notice that T.Simpson still has the “Deny FullControl” permission. To remove it, let’s use the command “PurgeAccessRules”,

$acl | Set-Acl \\fs1\shared\sales which will completely wipe T.Simpson’s permissions to the “Sales” folder:

$acl = Get-Acl \\fs1\shared\sales

$usersid = New-Object System.Security.Principal.Ntaccount ("ENTERPRISE\T.Simpson")

$acl.PurgeAccessRules($usersid)

$acl | Set-Acl \\fs1\shared\sales

17
 Contents SysAdmin Magazine August 2019

Let’s disable inheritance for the “Sales” folder and delete

all inherited permissions as well:

$acl = Get-Acl \\fs1\shared\sales

$acl.SetAccessRuleProtection($true,$false)

$acl | Set-Acl \\fs1\shared\sales

Note that “PurgeAccessRules” doesn’t work with a string user name; it works only with SIDs. Therefore, we used the “Ntaccount”
class to convert the user account name from a string into a SID. Also note that “PurgeAccessRules” works only with explicit per-
missions; it does not purge inherited ones.

Now we have only one access permission left (because it

Disable or Enable Permissions Inheritance was added explicitly); all inherited permissions were re-
moved.
To manage inheritance, we use the “SetAccessRuleProtection” method. It has two parameters:

▪▪ The first parameter is responsible for blocking inheritance from the parent folder. It has two states: “$true” and “$false”. Let’s revert this change and enable inheritance for the
folder “Sales” again:
▪▪ The second parameter determines whether the current inherited permissions are retained or removed. It has the same two
states: “$true” and “$false”.

18
 Contents SysAdmin Magazine August 2019

$acl = Get-Acl \\fs1\shared\sales

$acl.SetAccessRuleProtection($false,$true)
$acl | Set-Acl \\fs1\shared\sales

Notice that we again used the “Ntaccount” class to convert the user account name from a string into a SID.

Note that the “SetOwner” method does not enable you to change the owner to any account you want; the account must have
the “Take Ownership”, “Read” and “Change Permissions” rights.

As you can see, it is very easy to manage NTFS permissions with PowerShell. But don’t forget to audit NTFS permissions as well

Change File and Folder Ownership — it’s critical for security to track all changes made to your file servers in order to reduce data leakage and combat the insider
threat and other IT security risks.
If you want to set an owner for a folder, you need to run the
“SetOwner” method. Let’s make “ENTERPRISE\J.Carter” the
owner of the “Sales” folder:

$acl = Get-Acl \\fs1\shared\sales

$object = New-Object System.Security.Princi-
pal.Ntaccount("ENTERPRISE\J.Carter")
$acl.SetOwner($object)
$acl | Set-Acl \\fs1\shared\sales

19
 Contents SysAdmin Magazine August 2019

Manage SharePoint Understanding SharePoint

authentication and authorization
Entities that can be granted
permissions
Permissions Like a Access control relies on authentication (verifying that the Authorization in SharePoint is controlled by permissions

Pro
Liam Cleary
Security expert, Microsoft MVP
As an IT or SharePoint administrator, you have to manage
the security of your farm, including properly provisioning
the service accounts and end users that require access to
SharePoint. Here, we explore how permissions in Share-
Point work and best practices for using them to maximize
SharePoint security and adoption.
user is who they claim to be) and authorization (deter- assigned to the following entities:
mining what the user should have access to). SharePoint
performs the authorization, but it does not perform any • Active Directory groups
authentication; it relies on the underlying Internet Infor- • Roles provided by Forms Based Authentication
mation Services (IIS) and authentication providers to han- • SAML attributes
dle that. • SharePoint groups
• A specific user (though best practices recommend not
Since SharePoint 2010, the standard authentication has assigning permissions at this level in SharePoint)
been claims-based authentication. There are different
types of claims-based authentication; the industry stan-
dards are WS-Federation, Security Assertion Markup Lan-
guage (SAML) and OAuth. However, Microsoft baked into
SharePoint a claims engine, the Security Token Service
(STS), which can understand many different authentication
Objects that permissions can be
approaches. Out of the box, SharePoint supports stan- granted for
dard Windows Authentication (NTLM, Basic and Kerberos),
SharePoint supports permissions for many kinds of ob-
Forms Based Authentication (FBA) and SAML.
jects: ­

• ­Farm
• Service application
• Web application
• Site collection
• Site

20
 Contents SysAdmin Magazine August 2019

• List cially in the absence of a third-party rights management solution. If custom item-level permissions are the only option to meet the
• Library business need, then administrators should limit their use to particular locations and create a strict workflow around it, document-
• Folder ing and reviewing when item level permissions were granted or changed and who did it.
• Item

For all of these objects, you can assign permissions to the

entities listed in the previous section, such as SharePoint
security groups, roles, attributes or specific users. (As not- How to assign and edit SharePoint permissions
ed earlier, however, the best practice is to use security
The ability to manage permissions to SharePoint resources is primarily limited to members of the Site Collection Administrators
groups or roles for assigning user permissions instead of
(who can manage the root site and all its subsites) and Site Owners groups (who can manage specific subsites). However, any
adding permissions directly to a user account.)
end user can edit permissions to the content and locations that they own.

The permission assignments for an object determine

To modify the permissions for a site collection or site, the Site Collection Administrators or Site Owners should choose “Site
whether access to it is granted or blocked. A typical Share-
Settings” and edit the SharePoint permissions; lower level permissions, such as permissions to document libraries or lists, are
Point user would not, for example, have access at the farm,
accessible within the settings pages for those specific securable objects.
service application or even web application level; instead,
they would be granted permissions to data at the site col-
lection level or lower using the corresponding SharePoint
permission groups.

Note that best practices also recommend avoiding assign-

ing SharePoint item-level permissions as much as possible
because it complicates management and can lead to secu-
rity oversights. Often, you can simply group items in Share-
Point lists, document libraries or folders that are assigned
the required permissions. However, sometimes item-level
permissions can be required to meet specific needs, espe-

21
 Contents SysAdmin Magazine August 2019

Understanding SharePoint • The Contribute permission level includes all the per-
missions in the Read level plus View, Add, Update, De-
authentication and authorization lete, Versions, Browse Directories, Edit User Informa-
tion, Manage Personal Views, Add, Update or Remove
Web Parts.
Default permissions levels
missions” and click on the “Permission Levels”menu. To
customize an existing permission level, click its name on
the “Permission Levels” page. On the “Edit Permission Lev-
el” page, change the description and add or remove per-
missions as you require.

SharePoint uses permission levels to control access to ob- • The Full Control permission includes all the sub-per- Creating a new custom permission level from scratch
jects. There are ten default permissions levels: missions for Read and Contribute, plus extras.
To create a new custom permission level, you must be
logged in as a SharePoint Farm Administrator, Site Collec-
• Full Control Normally, end users are assigned Contribute access to the
tion Administrator or Site Owner. Navigate to the “Site Set-
• Contribute private sites they actively use and View Only access to ev-
tings” page and click on “Site Permissions”. Next, click on
• Read erything else.
the “Permission Levels” menu item:
• Design
• Edit
• Limited Access Custom permissions levels
• Approve
SharePoint does not include every permission level an or-
• Manage Hierarchy
ganization might require, so it enables you to customize
• Restricted Read
the permissions levels and create new ones, either from
• View Only
scratch or by cloning an existing permission level and mak-
ing permissions changes. Having tailored granular permis-
Each permission level is a container for individual permis-
sions sets enables you to better control what end users
sions. For example:
can do in a way without all the complications and risks of
assigning permissions directly to individual users.
• The Read permission level includes these permissions:
Open, View, Versions, Page, Application Pages, User In- On the “Add a Permission Level” page, enter the name of the
formation, Create Alerts, Self-Service Site Creation, Re- new permission level and a description. Then select the check
Customizing an existing permission level
mote Interfaces and UseClient Integration Features. boxes next to the list, site and personal permissions that you
Navigate to the “Site Settings” page and click on “Site Per- want the new permission level to include. Last, click “Create”.

22
 Contents SysAdmin Magazine August 2019

Creating a new custom permission level by cloning

certain document library, but only a few of them should be
To clone an existing permission level, access the same location go to the “Permission Levels” page and then click on the permis- able to read one of the documents in that library. Similar-
sion level you want to clone. ly, you also might need:

• Subsite permissions that differ from those for the par-

ent site collection

• List or library permissions that vary from those of the

parent site

• Folder permissions that differ from those of the parent

library

• File permissions that are different from the parent li-

brary or folder

Then click the “Copy permission level” button, name the new permission level, modify it as needed, and then save it.

Breaking permission inheritance

Understanding permission inheritance Currently, the only way of achieving these goals is to break
The permission settings of an element in a site collection are passed on to the children of that element: Sites inherit permissions inheritance for the specific item. You edit user permissions
from the root site of the site collection, libraries inherit from the site that contains the library, and so on. Permission inheritance as required, removing those permissions that are not nec-
enables you to make a permission assignment once at a high level and have it flow through to lower levels. essary. This strategy is effective, but assigning unique per-
missions to specific user accounts creates management
As you can imagine, this model does not meet all security requirements. For example, multiple users might need access to a headaches and can introduce security gaps. Therefore,

23
 Contents SysAdmin Magazine August 2019

you should avoid breaking inheritance whenever possible.

To break inheritance for a given object, select the object

where you wish to break the inheritance, choose “Stop
inheriting permissions” and then remove or add users or
groups as needed.
The Ultimate
Guide to
SharePoint
Permissions Best
Setting SharePoint permissions correctly and managing Practices
them effectively can make or break your Microsoft Share-
Point investment: Too much restriction can lead to less
adoption, but unlimited access can lead to a messy en- Free Download
vironment and security issues. Getting the right balance
requires carefully planning before SharePoint implemen-
tation, along with regular reviews and risk assessments
thereafter to ensure the integrity and usefulness of the
SharePoint farm.

24
 Contents SysAdmin Magazine August 2019

How-to for IT Pro

3. Open the file produced by the script in MS Excel.
ForEach ($entry in $acl.access) {
If (!$entry.IsInherited) { A B C D E F G H I
1 Folder,"User","Control","Access","Inheritance"
$found += New-Object -TypeName PSOb- 2 \\fs1\shared\Finance,"ENTERPRISE\Finance","Allow","Write, ReadAndExecute,
ject -Property @{ Synchronize","False"
3
How to Detect Users Who Have Direct 4 \\fs1\shared\Finance,"ENTERPRISE\Production","Allow","Full Control","False"
Folder = $item.fullname
5
Permissions on Your File Servers Access = $entry.FileSystemRights 6 \\fs1\shared\Finance,"ENTERPRISE\J.Carter","Allow","Full Control","False"
7 \\fs1\shared\Managers,"NT AUTHORITY\SYSTEM","Allow","FullControl","False"
Control = $entry.AccessControlType 8 \\fs1\shared\Managers,"BUILTIN\Administrators","Allow","FullControl","False"
9
1. Open the PowerShell ISE on your file server → Cre- User = $entry.IdentityReference 10 \\fs1\shared\Managers,"ENTERPRISE\J.Carter","Allow","FullControl","False"
Inheritance = $entry.IsInherited 11 \\fs1\shared\Managers,"ENTERPRISE\Production","Allow","FullControl","False"
ate a new script with the following code: 12
13

}
$search_folder = "\\share\path\" }
}

$out_file = "C:\temp\directpermissionsexport.
csv"
2. Specify the parameters below and run the script:
$out_error = "C:\temp\errors.csv"

• $search_folder: enter a path to a shared folder you

$items = Get-ChildItem -Path $search_folder
want to inspect for direct permissions
-recurse

• $out_file: enter a path to a file with results

$found = @()
$errors = @()
• $out_error: enter a path to an error log file
ForEach ($item in $items) {

try {
$acl = Get-Acl $item.fullname

25
 Contents SysAdmin Magazine August 2019

This freeware tool helps you make sure that employees’ permissions correspond to their roles in your organization
by showing who has permissions to what in Active Directory and file shares.

Free Tool of the Month

Effective
Permissions
Reporting Tool
Download Free Tool

26
 [On-Demand Webinar]

4 Handy PowerShell Watch the technical session about managing file systems with
PowerShell as Russell Smith shares commands that enable you

Commands for Managing the to get a permissions report, audit permissions changes on a file
server and find over-permissioned folders.

File System
Watch Now
Russell Smith
Data Security Expert, IT Consultant

Corporate Headquarters: Phone: 1-949-407-5125 Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or
300 Spectrum Center Drive, Toll-free: 888-638-9749 one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other
Suite 200 Irvine, CA 92618 EMEA: +44 (0) 203-318-02 countries. All other trademarks and registered trademarks are the property of their respective owners.