Re: VBScript to audit shares and share permissions

From: `blah (agorachat_at_free.fr)
Date: 09/24/04

  • Next message: John Fleming: "RE: Fw: Serious Security Issue in Windows XP SP2's Firewall"
    To: "Jim Harrison (ISA)" <jmharr@microsoft.com>, "Klenke, Brian" <Brian.Klenke@53.com>, "wnorth" <wnorth@verizon.net>, <focus-ms@securityfocus.com>
    Date: Fri, 24 Sep 2004 02:56:34 +0200
    
    

    Hi,

    You can also use SRVCHECK tool included in Windows Server Resources Kit.

    A simple script will allow you to scan all your network.

    More info:
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/srvcheck.asp

    The bad side is that, by myself, I could see that sometime it seems not to
    see all shares. Don't know if I'm alone to have this problem.

    But usually, it lists most of shares with Group/user access and type of
    access.

    Rgds,

    Jesse ADAM.

    ----- Original Message -----
    From: "Jim Harrison (ISA)" <jmharr@microsoft.com>
    To: "Klenke, Brian" <Brian.Klenke@53.com>; "wnorth" <wnorth@verizon.net>;
    <focus-ms@securityfocus.com>
    Sent: Thursday, September 23, 2004 6:55 AM
    Subject: RE: VBScript to audit shares and share permissions

    http://isatools.org/isainfo/isainfo.hta includes code to enumerate
    shares on the local machine, share permissions, the shared folder and
    its permissions as well.
    The HTA only scans an ISA 2004 server (surprised?), but you can C&P from
    it to your heart's desire.
    There are several functions / pseudo-classes involved since its part of
    an overall server data-gathering tool, but you should be able to
    identify the relevant parts.

    I know it's not VBScript, but it does include what you're asking for...

    Jim Harrison
    MCP(NT4/2K), A+, Network+
    Security Business Unit (ISA SE)

    "The the last 10 years of Internet usage has disproven
    the theory that a million monkeys typing on a million
    typewriters would eventually produce the complete
    works of Shakespeare. ..or maybe it only works for
    typewriters..."
    (unclaimed)

    -----Original Message-----
    From: Klenke, Brian [mailto:Brian.Klenke@53.com]
    Sent: Tuesday, September 21, 2004 11:22 AM
    To: 'wnorth'; focus-ms@securityfocus.com
    Subject: RE: VBScript to audit shares and share permissions

    Wes/Lucas

    Thanks for both of your responses.

    Wes, in looking over the Perl Script, unless I am missing it, the code
    doesn't appear to list Share and Directory permissions for each share,
    which
    is really the thing that I'm after. If I missed the line(s) of code, I
    apologize in advance.

    Lucas, these shares aren't published in AD to my knowledge so I think
    I'm
    out of luck using your script.

    I need a good way to automate the process of checking a list of hosts
    for
    shares that allow Everyone access at the share level and Everyone access
    at
    file system level (and maybe some other permissions). I can get this
    info
    from Dumpsec, but one host at a time, and it's a manual process.

    I am also trying to avoid writing this myself, since I don't have,
    what's it
    called? Free time? :)

    I hope I can find a script or a package that will do this already (I've
    tried picking through various Nessus plugins and such).

    -----Original Message-----
    From: wnorth [mailto:wnorth@verizon.net]
    Sent: Monday, September 20, 2004 2:54 PM
    To: 'Klenke, Brian'; focus-ms@securityfocus.com
    Subject: RE: VBScript to audit shares and share permissions

    You can use a Perl script that produces the same output, and more
    (includes
    account enumeration etc.):

    http://www.roth.net/perl/scripts/scripts.asp?Null.pl

    -Wes

    >I am looking for a VBScript that will return a list of shares of a
    given
    computer, along with each share's share
    >permissions and NTFS permissions...
    >
    >Brian Klenke, CISSP CCNA

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ---
    This e-mail transmission contains information that is confidential and
    may be privileged.   It is intended only for the addressee(s) named
    above. If you receive this e-mail in error, please do not read, copy or
    disseminate it in any manner. If you are not the intended recipient, any
    disclosure, copying, distribution or use of the contents of this
    information is prohibited. Please reply to the message immediately by
    informing the sender that the message was misdirected. After replying,
    please erase it from your computer system. Your assistance in correcting
    this error is appreciated.
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: John Fleming: "RE: Fw: Serious Security Issue in Windows XP SP2's Firewall"

    Relevant Pages

    • Re: removing user from domain users group doesnt help
      ... What I would do is to give that global group deny access this computer from ... only access shares on that server. ... give that group deny permissions for other shares on that server. ...
      (microsoft.public.windows.server.security)
    • Re: cant get access to disk share when connecting from a remote s
      ... > system is a PC that needs to read and write files on the 'DUT'. ... > the shares on the DUTs manually, after they run my rename script, but I ... > permissions on a server I would never have gone down this path. ...
      (microsoft.public.windows.server.scripting)
    • IIS & ASP security advice
      ... I have a user who has requested special permissions on my IIS 5.0 server. ... that they do but IIS does not allow this to happen unless an ASP script is ...
      (microsoft.public.inetserver.iis.security)
    • Re: Domain Controller Not Sharing, Workgroup Inaccessible - Please Help :)
      ... permissions). ... The server has stopped sharing properly. ... All shares are visible using a 'net share' command, ... I.e, under Explorer from a client, you can go to the ...
      (microsoft.public.windows.server.general)
    • Re: using a general browser as a form-based capture method
      ... You are saying we find a simple web server which gets messages ... permissions ... possible to write to the local file system without modifying the user's ... either saved to a local file, or script support will be ...
      (comp.lang.javascript)