![]() ![]() (adjust the path to SetACL.exe as needed) ![]() To recursively scan C:\ with ListUserWriteableDirectories and list directories with insecure permissions run the following command: ListUserWriteableDirectories.ps1 -SetACLPath 'D:\Tools\SetACL\SetACL.exe' -ScanDirectory C:\ -IncludeInherited How to Scan the Filesystem With ListUserWriteableDirectories ListUserWriteableDirectories checks for all kinds of insecure permissions, not just write access: full, change, write, write_owner, write_dacl, write_ea, write_attr, add_file. Any remaining ACEs are deemed insecure and included in the output. If an ACE’s permission matches, it checks the known-safe user/group exclusions. For every directory that is not excluded, it examines the access control entries (ACEs) looking for any of the configured insecure permissions. ![]() ListUserWriteableDirectories recursively traverses the filesystem. A third list specifies which write (or otherwise insecure) permissions to include in the report. It also has a list of users and groups that are considered safe and should be ignored in the scan. ListUserWriteableDirectories is flexible: it has a configurable list of directories to exclude. ListUserWriteableDirectories is powerful: by using SetACL for the actual scanning, it inherits SetACL’s cool features that make it possible to bypass permissions and scan every directory in the filesystem. My ListUserWriteableDirectories script is an implementation of the first detection type: it scans the filesystem listing any permissions not known to be safe. Directory Scan With ListUserWriteableDirectories
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |