Forums
Main Category
General (Technical,...
Identifying permiss...
 
Notifications
Clear all

Identifying permissions on shares

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by cinux 18 years ago
5 Posts
2 Users
0 Reactions
1,696 Views
RSS
cinux
 cinux
(@cinux)
Eminent Member
Joined: 20 years ago
Posts: 21
Topic starter 11/05/2007 10:04 am  

I have a problem - To identify the permissions on shares in an image.
I created two shares on my desktop and gave read permissions on one folder to a user in the active directory and denied all permisssions to another one. Now I was trying to figure out if I get an image in which I need to identify who all had access to a shared resource, how can I achieve that? I fired up Encase v 4.22 (I ve lost my 5.0 version dongle cry ) and tried to see the permissions on the folder but could not find anything related to the permissions on shares. Then I tried showacls and dumpsec on my running OS (not on the image) but even they could nt show the perms I had set. The thought I have in mind is to use TSK and investigate the $SII attribute in $Secure file for index to the security descriptor of the folder. Firstly, I dunno if that would yield the required result and secondly, its a lil tricky way to do things. I am sure there must be an easy way to achieve this. Blame it on the heat in Delhi wink , I am not able to get any other idea regarding this. Could the permissions on the reg entries (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares) be the answer. Havent tried that out yet.
Any help on this would be appreciated!
BTW, as u might have guessed the file system in use was NTFS but I would also like to know how this could be achieved in FAT as well.
Thanks,
Cinux


   
Quote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
11/05/2007 7:10 pm  

If the image were mounted you could use Server Share Check from the W2K3 Server Resource Kit. This is a command line utility that will list all non-hidden shares on a computer (it also works on Windows XP and Windows 2000). It also enumerates the Access Control List (ACL) for each share.

If you are looking at the registry
SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
enumerates shares, including any permissions assigned to those shares.

The settings for File Server functionality are stored in HKEY_LOCAL_MACHINE\Services\Smbserver

Subkey UseAuthentication REG_DWORD shows if authentication is enabled.

FAT does not have any permissions.


   
ReplyQuote
cinux
 cinux
(@cinux)
Eminent Member
Joined: 20 years ago
Posts: 21
Topic starter 14/05/2007 1:44 am  

If the image were mounted you could use Server Share Check from the W2K3 Server Resource Kit.

Bithead,
I had already tried srvcheck and it had miserably even on a live system with shares. It dint show me the perms I add added. I tried

I tried shareenum and accesschk from sysinternals as well and finally it was accesschk.exe which showed me the sid of the user in AD to whom I had denied all the perms… This ona live system …Now If I have an image and I need to do this, I was just wondering if the extract the file onto my disk, wont it affect the permissions on the folder Coz I ve seen in a small expt that the share perms are lost as soon as you copy the shared folder to another location (even on the same NTFS drive..)
The question still remains
"How do I see the perms on a shared folder in the image"

If you are looking at the registry
SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
enumerates shares, including any permissions assigned to those shares.

I dint find any entry which tals abt the perms on shares within this key

The settings for File Server functionality are stored in HKEY_LOCAL_MACHINE\Services\Smbserver

Funnily, I could nt locate this entry… Am i getting too old?
Thanks for your suggestions though, Bithead….
Cinux


   
ReplyQuote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
14/05/2007 3:46 am  

I had already tried srvcheck and it had miserably even on a live system with shares. It dint show me the perms I add added. I tried

You tested this on unhidden shares on a Windows machine and got nothing? Odd. What was your syntax?
Here's an example of what you should see

C\>srvcheck \\w2k3

\\w2k3\tsclient
Everyone Read

\\w2k3\HelpDesk
Everyone Read

\\w2k3\webdev
W2K3\user1 Full Control
Everyone Read

I was just wondering if the extract the file onto my disk, wont it affect the permissions on the folder

If you extract them they will just show the pointer to the SID on the machine they were created on. Share permissions do not travel from one machine to another without REG changes. That is why I suggested mounting the image.

I dint find any entry which tals abt the perms on shares within this key

Is this not a W2k, XP, or W2K3 machine?
Petri IT Knowledgebase


   
ReplyQuote
cinux
 cinux
(@cinux)
Eminent Member
Joined: 20 years ago
Posts: 21
Topic starter 15/05/2007 1:39 pm  

I had already tried srvcheck and it had miserably even on a live system with shares. It dint show me the perms I add added. I tried

You tested this on unhidden shares on a Windows machine and got nothing? Odd. What was your syntax?
Here's an example of what you should see

C\>srvcheck \\w2k3

\\w2k3\tsclient
Everyone Read

\\w2k3\HelpDesk
Everyone Read

\\w2k3\webdev
W2K3\user1 Full Control
Everyone Read

I was just wondering if the extract the file onto my disk, wont it affect the permissions on the folder

If you extract them they will just show the pointer to the SID on the machine they were created on. Share permissions do not travel from one machine to another without REG changes. That is why I suggested mounting the image.

I dint find any entry which tals abt the perms on shares within this key

Is this not a W2k, XP, or W2K3 machine?
Petri IT Knowledgebase

Bithead,
My syntax was right. I got the same kinda result as you got. The only problem is it shows the permissions of "everyone" but not of the users' whom I had given/revoked perms exclusively.
It is an XP machine.
Nevertheless, I got my answer with Encase and accesschk. Strange, the first time I loaded encase, it did not show me the extra perms I had added to the shares… this time it did…. strange… has anyone else experienced such behaviour from Encase.

Bithead, thanks a ton for your suggestions!

Cinux


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: