Auditing Folder (and subfolder) Permissions using CACLS
CACLS.exe is a great builtin Windows utility that allows you to list the permissions on a file or folder. This command has been used in an audit to get the permissions of the folders on an agency file server that served the “private” shares to each Domain user. The findings we would be looking for when examining the results are improper access to the “private” shares by other Domain users.
For CACLS options and how to interpret the results see this site.
The command that I run is as follows:
c:\>for /f "delims=" %a in ('dir /b') do @cacls "%a" >> savefile.txt
Once results are obtained they need to be parsed so they can be analyzed. I have written a perl script to add the correct folder name to each permission. This is so they can be sorted by permission in your spreadsheet application of choice.
#!/usr/bin/perl
$numArgs = $#ARGV +1;
if($numArgs < 2){
print "Invalid Number of Arguments\\\\n";
print "caclsparse.pl <filename> <foldername>\\\\n\\\\n";
print "foldername example: D:\\\\\\\\Share\\\\n";
print "You need to escape the backslash twice.\\\\n";
exit;
}
#open the file
$infile = "$ARGV[0]";
open(DAT, $infile) || die("Something did not work. You figure it out.");
#save file contents into an array
@raw_data=<DAT>;
close(DAT);
#Cycle through the entire array
for($count=0;$count<=$#raw_data;$count++){
#pull folder name, split it, and print it
#the first record in each grouping is the only record with the folder name
if(@raw_data[$count] =~ /($ARGV[1])/){
$x = 0;
while(substr(@raw_data[$count+1],$x,1) eq " "){
$x++;
}
$folder = substr(@raw_data[$count],0,$x-1);
$permissions = substr(@raw_data[$count],$x,length(@raw_data[$count]) - $x);
print "$folder,$permissions\\\\n";
#cycle through the permissions listed below the folder name
for($c=$count+1;$c<=$#raw_data;$c++){
#clear all whitespace
$permissions = substr(@raw_data[$c],$x,length(@raw_data[$c]) - $x);
$permissions =~ s/^s+//;
$permissions =~ s/s+$//;
#print until you get to the next folder item
if(@raw_data[$c] =~ /($ARGV[1])/){last;}
print "$folder,$permissions\\\\n";
}
}
}
Save the code and run it as follows:
$perl caclsparse.pl savefile.txt D:\\Share >> parseresults.csv
NOTE: I run it from Linux but ActivePerl for Windows will work as well. Installing perl is outside the scope of this posting.
Open parseresults.csv in Excel/OO Calcs/Gnumeric and begin analyzing the results!