FolderSecurityViewer: Quick and easy NTFS permissions analyzer

Home Blog FolderSecurityViewer: Quick and easy NTFS permissions analyzer

4sysops - The online community for SysAdmins and DevOps

    , ,   0
G-TAC Software developed FolderSecurityViewer, a lightweight Windows desktop application that makes analyzing and reporting on NTFS file and folder permissions a snap. The product is available as a free trial.
Contents
  1. Installation and configuration
  2. Analyzing folder permissions
  3. Analyze resource owners
  4. Compare folders
  5. Export reports
  6. Wrap-up
Latest posts by Timothy Warner (see all)

Here's the situation: your organization needs to certify with an international security compliance standard, and you're frustrated with the Windows Server built-in tools for analyzing NTFS effective permissions and determining resource ownership.

For example, the Effective Access tab in Windows Server requires quite a bit of navigation even to get to:

  • right-click a folder and select Properties
  • navigate to the Security tab and click Advanced
  • navigate to the Effective Access tab and select a user
  • select a device and click View effective access
Viewing effective access in Windows Server 2016

Viewing effective access in Windows Server 2016

Whew--that's a lot of work. Windows doesn't let you easily print those results, and you're in for a lot of clicking if you need to review dozens of folders.

To that end, the Germany-based independent software vendor (ISV) G-TAC Software saw this situation as an opportunity to develop an easy-to-use front end for inspecting and reporting on NTFS permissions. Their product is FolderSecurityViewer, and I'd like to show it to you now.

Installation and configuration

G-TAC offers a 14-day trial version that, sadly, is feature-limited. It took me all of 20 seconds to install FolderSecurityViewer on one of my Windows Server virtual machines. Supported Windows versions are Windows 7 through Windows 10, and Windows Server 2008 through Windows Server 2012. The software worked fine for me on Windows Server 2016.

Here are the other installation requirements:

  • You must run the software as an administrator.
  • File servers you wish to analyze must be members of an Active Directory Domain Services (AD DS) domain.

Specifically, FolderSecurityViewer is a Windows Presentation Foundation (WPF) desktop application that requires no external database connection. (G-TAC plans to add this functionality to the Company and Enterprise Editions later this year.) Note that you don't have to install the tool on all your file servers. You simply install FolderSecurityViewer on your administrative workstation and you can then analyze the shares of an unlimited number of servers.

That said, open the tool and click Settings to review customizable options. For example, the following screenshot shows that we can limit FolderSecurityViewer to a particular scan depth to enhance performance. You can also customize which Active Directory user properties to display in output.

FolderSecurityViewer settings dialog

FolderSecurityViewer settings dialog

Analyzing folder permissions

Use the Folders tree to find a folder you want to analyze. Next, right-click the object and select Trustees Report from the shortcut menu. I show you this in the next figure.

Viewing folder trustees

Viewing folder trustees

In FolderSecurityViewer nomenclature, trustees are Active Directory user accounts that appear on an object's NTFS discretionary access control list (DACL). In the example above, my Tim account has Full Control access to the AD-Scripts folder, and the user Pat Stroh has Read access.

If you want to see the folder's ACL from Windows' perspective, click Access Control List in the FolderSecurityViewer interface. The following figure shows all access control entries (ACEs), including AD groups and system identities.

Viewing the Windows DACL

Viewing the Windows DACL

NOTE: G-TAC chose the software's name FolderSecurityViewer intentionally. That is because you cannot modify NTFS permissions in any way. Instead, this is purely an analysis and reporting tool.

Now navigate to the Folder Report tab. This lists metadata statistics, including owner, file count, and size for the current folder as well as for nested subfolders. Here is that view:

FolderSecurityViewer folder report

FolderSecurityViewer folder report

In summary, you can use FolderSecurityViewer to scan folder hierarchies quickly to answer security-related questions such as:

  • Do any users have access to these resources they shouldn't have access to in the first place?
  • Which users have too many or too few permissions to a given resource?
  • Where are there permission-inheritance conflicts that may prevent legitimate users from accessing resources?

Analyze resource owners

In FolderSecurityViewer, select a folder in the Folders view. Next, change the view to Users & Groups. Browse your Active Directory domain in the tree view and identify a user to inspect. Last, right-click the user and select Show Owner Report from the shortcut menu.

Viewing the owner report

Viewing the owner report

Being able to identify resource owners easily is valuable to Windows systems administrators because we can isolate the source of resource access problems. We can also find all the resources owned by, say, users the company no longer employs. You then have the information you need to take ownership of the resources and potentially reset NTFS permissions.

Compare folders

You can find permissions differences between a higher-level folder and a subfolder. With deeply nested folder hierarchies, this can save significant time. In FolderSecurityViewer, generate a trustee report for a parent folder.

The Differences button shows how many differences exist in subfolders. Double-click an entry in the Differences window to see the trustees of that child object. I show you this in the following screen capture.

Comparing folder permissions

Comparing folder permissions

In the above figure, the parent folder AD-Scripts has tim and pat as trustees. However, the nestedtemplates subfolder has only tim. Problem solved!

Export reports

To generate a report in Excel, CSV, or HTML format, click the Export button shown in the following figure.

Exporting a report

Exporting a report

You'll then be prompted to select a report output format and a subsequent action as shown here:

Choosing an export file format

Choosing an export file format

The following screenshot displays a typical report as seen in Microsoft Excel.

Viewing a report in Excel

Viewing a report in Excel

Wrap-up

G-TAC sells FolderSecurityViewer in three editions:

Subscribe to 4sysops newsletter!

  • Standard: Installation on up to 2 computers, 500 AD user limit – 290 EUR
  • Company: Unlimited installations, 3,000 AD user limit – 1,490 EUR
  • Enterprise: Unlimited installations, unlimited AD users – 2,990 EUR

Check G-TAC's order page for more details. FolderSecurityViewer provides administrators with a dead-simple NTFS permissions analysis and reporting tool. The learning curve is short, and the impact is potentially high enough for you to warrant the license cost.

avatar
Related Articles
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account