PowerShell Scripts, Tips, Expert Advices, Forums, and Resources

Geek Sync Live

Welcome to PowerShell.com, the educational and community site for Windows PowerShell People. Get a quick overview.

As a Powershell.com member you will have access to:

  • Daily PowerShell tips written by Microsoft MVPs and other leading Windows PowerShell experts
  • Free Windows PowerShell advice and training provided by Microsoft MVPs and other leading Windows PowerShell experts
  • Access to leading Windows PowerShell blogs
  • A free ebook, Mastering PowerShell, written by Microsoft MVP Dr. Tobias Weltner
PowerTip of the Day

Identifying Risky NTFS Permissions

Here is a quick and easy way to find NTFS permissions that are potentially dangerous. The script tests all folders in $pathsToCheck and reports any security access control entry that grants access to one of the filesystem flags defined in $dangerousBitMask.

In the example, the script takes all paths found in your %PATH% environment variable. These paths are risk vectors and should be protected by NTFS privileges, granting write access only to Administrators and the system.

Often, software installations add themselves to this environment variable without properly protecting the folders they are adding. This can impose security risks. The script below can serve as a first triage to find out who has potentially dangerous NTFS access rights. It's then up to you to answer the "why".

# list of paths to check for dangerous NTFS permissions
$pathsToCheck = $env:Path -split ';'

# these are the bits to watch for
# if *any* one of these is set, the folder is reported
$dangerousBitsMask = '011010000000101010110'
$dangerousBits = [Convert]::ToInt64($dangerousBitsMask, 2)

# check all paths...
$pathsToCheck | 
ForEach-Object { 
  $path = $_
  # ...get NTFS security descriptor...
  $acl = Get-Acl -Path  $path
  # ...check for any "dangerous" access right
  $acl.Access |
  Where-Object { $_.AccessControlType -eq 'Allow' } |
  Where-Object { ($_.FileSystemRights -band $dangerousBits) -ne 0 } |
  ForEach-Object {
    # ...append path information, and display filesystem rights as bitmask
    $ace = $_
    $bitmask = ('0' * 64) + [Convert]::toString([int]$ace.FileSystemRights, 2)
    $bitmask = $bitmask.Substring($bitmask.length - 64)
    $ace | Add-Member -MemberType NoteProperty -Name Path -Value $path -PassThru | Add-Member -MemberType NoteProperty -Name Rights -Value $bitmask -PassThru
} |
Sort-Object -Property IdentityReference |
Select-Object -Property IdentityReference, Path, Rights, FileSystemRights |

Twitter This Tip! ReTweet this Tip!

Copyright 2012 PowerShell.com. All rights reserved.