Latest posts by Timothy Warner (see all)
- XIA Configuration - Easy network inventory and documentation solution - Wed, Nov 29 2017
- Backup AWS EC2 instances with NAKIVO Backup & Replication - Mon, Nov 27 2017
- Move an Azure VM to a different virtual network (vNet) - Fri, Nov 24 2017
Here's the situation: your organization needs to certify with an international security compliance standard, and you're frustrated with the Windows Server built-in tools for analyzing NTFS effective permissions and determining resource ownership.
For example, the Effective Access tab in Windows Server requires quite a bit of navigation even to get to:
- right-click a folder and select Properties
- navigate to the Security tab and click Advanced
- navigate to the Effective Access tab and select a user
- select a device and click View effective access
Whew--that's a lot of work. Windows doesn't let you easily print those results, and you're in for a lot of clicking if you need to review dozens of folders.
To that end, the Germany-based independent software vendor (ISV) G-TAC Software saw this situation as an opportunity to develop an easy-to-use front end for inspecting and reporting on NTFS permissions. Their product is FolderSecurityViewer, and I'd like to show it to you now.
Installation and configuration ^
G-TAC offers a 14-day trial version that, sadly, is feature-limited. It took me all of 20 seconds to install FolderSecurityViewer on one of my Windows Server virtual machines. Supported Windows versions are Windows 7 through Windows 10, and Windows Server 2008 through Windows Server 2012. The software worked fine for me on Windows Server 2016.
Here are the other installation requirements:
- You must run the software as an administrator.
- File servers you wish to analyze must be members of an Active Directory Domain Services (AD DS) domain.
Specifically, FolderSecurityViewer is a Windows Presentation Foundation (WPF) desktop application that requires no external database connection. (G-TAC plans to add this functionality to the Company and Enterprise Editions later this year.) Note that you don't have to install the tool on all your file servers. You simply install FolderSecurityViewer on your administrative workstation and you can then analyze the shares of an unlimited number of servers.
That said, open the tool and click Settings to review customizable options. For example, the following screenshot shows that we can limit FolderSecurityViewer to a particular scan depth to enhance performance. You can also customize which Active Directory user properties to display in output.
Analyzing folder permissions ^
Use the Folders tree to find a folder you want to analyze. Next, right-click the object and select Trustees Report from the shortcut menu. I show you this in the next figure.
In FolderSecurityViewer nomenclature, trustees are Active Directory user accounts that appear on an object's NTFS discretionary access control list (DACL). In the example above, my Tim account has Full Control access to the AD-Scripts folder, and the user Pat Stroh has Read access.
If you want to see the folder's ACL from Windows' perspective, click Access Control List in the FolderSecurityViewer interface. The following figure shows all access control entries (ACEs), including AD groups and system identities.
NOTE: G-TAC chose the software's name FolderSecurityViewer intentionally. That is because you cannot modify NTFS permissions in any way. Instead, this is purely an analysis and reporting tool.
Now navigate to the Folder Report tab. This lists metadata statistics, including owner, file count, and size for the current folder as well as for nested subfolders. Here is that view:
In summary, you can use FolderSecurityViewer to scan folder hierarchies quickly to answer security-related questions such as:
- Do any users have access to these resources they shouldn't have access to in the first place?
- Which users have too many or too few permissions to a given resource?
- Where are there permission-inheritance conflicts that may prevent legitimate users from accessing resources?
Analyze resource owners ^
In FolderSecurityViewer, select a folder in the Folders view. Next, change the view to Users & Groups. Browse your Active Directory domain in the tree view and identify a user to inspect. Last, right-click the user and select Show Owner Report from the shortcut menu.
Being able to identify resource owners easily is valuable to Windows systems administrators because we can isolate the source of resource access problems. We can also find all the resources owned by, say, users the company no longer employs. You then have the information you need to take ownership of the resources and potentially reset NTFS permissions.
Compare folders ^
You can find permissions differences between a higher-level folder and a subfolder. With deeply nested folder hierarchies, this can save significant time. In FolderSecurityViewer, generate a trustee report for a parent folder.
The Differences button shows how many differences exist in subfolders. Double-click an entry in the Differences window to see the trustees of that child object. I show you this in the following screen capture.
In the above figure, the parent folder AD-Scripts has tim and pat as trustees. However, the nestedtemplates subfolder has only tim. Problem solved!
Export reports ^
To generate a report in Excel, CSV, or HTML format, click the Export button shown in the following figure.
You'll then be prompted to select a report output format and a subsequent action as shown here:
The following screenshot displays a typical report as seen in Microsoft Excel.
G-TAC sells FolderSecurityViewer in three editions:
- Standard: Installation on up to 2 computers, 500 AD user limit – 290 EUR
- Company: Unlimited installations, 3,000 AD user limit – 1,490 EUR
- Enterprise: Unlimited installations, unlimited AD users – 2,990 EUR
Check G-TAC's order page for more details. FolderSecurityViewer provides administrators with a dead-simple NTFS permissions analysis and reporting tool. The learning curve is short, and the impact is potentially high enough for you to warrant the license cost.