I have many European students and professional colleagues who are scrambling a bit to meet the European Union (EU) General Data Protection Regulation (GDPR) compliance requirements. Specifically, these Windows systems administrators need to:
- Gather all file shares exposed to their user populations
- Determine the owner of each file system resource on infrastructure servers
- Analyze folder access control lists (ACLs)
When you're pressed for time, you don't want to mess around with complicated client/server software. For this use case, G-TAC FolderSecurityViewer (FSV) may be a good option.
Download the free, fully functional 14-day demo by visiting the FolderSecurityViewer website. During the demo period, you have access to all the Company Edition features; after 14 days, the feature set degrades to that of the Free Edition.
I installed FSV on both a Windows Server 2016 file server and a Windows 10 domain-joined workstation. The product works on workgroup machines, but presents a warning dialog if it detects you are not in an Active Directory Domain Services (AD DS) domain environment.
FSV Company Edition allows you to use the built-in SQLite database or configure an external SQL Server database as your reporting back-end.
Let me show you the basic user interface (UI) in an annotated screenshot, and I'll give you the high-level tour before we dive into the feature set in more detail.
- A: Type a local or UNC path to audit a folder
- B: Right-click a folder to run various analyses
- C: Navigate between the four different report types
- D: Display multiple reports and switch between them
- E: View the folder's access control entries
- F: Display the folder's owner
- G: Enumerate subfolders with permissions and/or owner differences
- H: Retrieve a previously created report
- I: Set application preferences
- J: Launch interactive guided tour tutorials
Permissions and Folder Reports ^
To audit a folder, start by using the Folders or Servers navigation tabs and browsing to a local or remote folder. Yes, you can use UNC paths to connect to remote servers, which is a great convenience.
As you can see in the next screenshot, the context menu gives you the Permissions Report and Folder Report options.
The Permissions Report shows you the owner of the target folder, along with its access control list in its Access Control List pane. Click the Owner button to see the folder owner in a separate pane. Clicking the Save button (A in the following screenshot) makes this analysis visible from the Saved Reports button (labeled B). The main purpose of this report is to list a folder's effective NTFS permissions owners and the corresponding AD group from which the rights originated. Because FSV analyzes all nested groups with their members, it can create a comprehensive overview of all effective permissions owners, making it a one stop solution for NTFS permissions analysis.
I like the Folder Report a lot because I am often interested in knowing folder size, number of contained files, and so forth. The column headers are clickable, so you can perform ascending or descending sorts.
Owner and Share reports ^
To run an Owner report, first find a local or remote folder in the Folders tab. Next, navigate to the Users & Groups navigation tab, browse your Active Directory domain tree, and double-click a user account. FSV then shows you all files and folder resources owned by that particular user. Very cool!
Finally, the Share report enumerates all Server Message Blocks (SMBs) shared on a Windows Server or Windows Client device. In FSV, navigate to the Servers tab and double-click a visible or administrative share. You see all metadata concerning that shared folder, including its shared folder permissions.
Differences and Group Enumeration ^
As I mentioned, you use the Differences button in FSV Permission Report to view subfolders with different NTFS permissions. Double-click one of those entries and its analysis shows up on an additional tab.
The FSV tabbed interface makes it simple to "ping pong" between folder analyses. In the Access Control List pane, right-click a group entry and select Show Group Members to list the enclosed security principals. If the group has another nested group, you can right-click its icon and repeat the process. I show you a composite screenshot next.
Exporting reports ^
Generating these reports on the fly is all well and good. However, I'm sure you want to know what formats there are for data export. I'm glad you asked! In FSV, bring up the report you want to export. Next, click the Export button (labeled A in the next screenshot), and choose an output file. Options are Excel, CSV, or HTML. You then can open the output file directly, copy the file contents to the clipboard, or copy the file path to the clipboard.
Here is what my folder report looks like in Microsoft Edge running on Windows 10:
If you decide to purchase a FSV Company Edition license, you'll get your own foldersecurityviewer.com login where you can manage your product and licensing in a software-as-a-service (SaaS) manner. Your user dashboard includes an integrated changelog as shown in the next screenshot.
G-TAC sells FSV in two editions: Company, which has a 3000-object Active Directory user limit, and Enterprise, which is completely unlimited in functionality. Although your license management is handled in a SaaS manner, the license itself is perpetual and therefore never expires. Minor version upgrades are free as well.
If I were under pressure to document the NTFS permissions, resource owners, and file shares in my environment, and I didn't have the time or money for a more robust solution, I have little doubt I would purchase FolderSecurityViewer.