Announcement

Collapse
No announcement yet.

What server account needs to be used for NTFS permissions view and export

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • What server account needs to be used for NTFS permissions view and export

    Aloha,

    I regularly view and export NTFS permissions from various server and NetApp shared folders using Hyena so that we can audit shared folder access, and it works fine using a Domain Admin account. However, I am not a Domain Admin, and I normally have to borrow the account temporarily, which is very risky since I could also use the DA account to make changes to Active Directory and servers.

    I am wondering what type of account Hyena needs to use to just view and export NTFS permissions from a domain, and if there is a lesser type of account I could use to runas Hyena from my PC, such as a shared local admin server account, or something similar.

    Once I hear back, I will work with my server team to see if they can implement a lesser account on the servers, so that I don't have to use the DA account anymore going forward.

    thank you,
    Mike Howard
    Information Security

  • #2
    Mike:

    This is a good question.

    For starters, you need to be able to access the information either through a share or a mapped drive letter. I assume you have a number of servers (and perhaps shares) that you need to scan the security for, so this might be the most troublesome part to get to work. A mapped drive is easy to understand, as this is how a typical user should access folders and files, and the admins would set up the share with the right access so that the user can connect to it. But if you are going through the Shares object for a server to get to the directories/files, then Hyena has to issue a function call named "NetShareEnum" to get the list of shares that you see. We use a level on this function that according to Microsoft's documentation requires that you be either a local administrator, Server Operator, Print Operator, or Power User (ie belong to one of these groups) on the server. A domain admin is a member of the local administrators group, so this is why you can get a list of all of the shares.

    Note also that if you are accessing the files through an admin share (ie C$, D$, etc.), then you need to be an administrator, so if you are not an admin, then there might need to be some special shares set up in order for you to just get to the files. Of course, to see the files/directories, you also need the NTFS security rights to do this, but that is just standard security limitations.

    Finally, to get the security information for a file/directory, Hyena uses the GetFileSecurity API function. The documentation states that you must have READ access to the file in order to get the security information. It seemed to me that more rights would have been required, but this is what the docs say.

    Give this information to your admins, and let me know if anything does not make sense. I would start with just running Hyena as a standard domain user and build security up from there perhaps to see what a "non-admin" would / can see.
    Kevin Stanush
    SystemTools Software Inc.

    Comment


    • #3
      Thank you for the info

      Thank you very much for the account info. I think this is exactly what I need to give to our server administrators to see what they can setup for me, so that I can view shared folder NTFS permissions without using a Domain Admin account. Thanks for the prompt reply!

      Comment

      Working...
      X