- Install Ansible on Windows - Thu, Jul 20 2023
- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
The IT security least-privilege principle states that users should have enough authorization to do their work, but no more. This principle naturally applies to your Server Message Block (SMB) file shares and NTFS-secured folders and files.
Today we will examine Albus Bit's NTFS Permissions Auditor, a lightweight, easy-to-use permissions analysis tool that gives you insight into who can do what with your corporate data.
Installation and your first configuration profile
Go to the Albus Bit website and download NTFS Permissions Auditor Free version. This is not a time-limited trial, but perpetual use software. For this review, I used the Pro version. You can read about the differences at your convenience; we'll discuss them more later.
You can install the software on your administrative workstation; the only prerequisite is the .NET Framework v4 client profile. The software uses a tiny SQLite database back end; the default database location is %AppData%\AlbusBit\NTFSPermissionsAuditor\NTFSPermissionsAuditor.db.
Next, open the application, navigate to the Home tab, and click New to start a new configuration profile. I show you the interface in the next figure.
NTFS Permissions Reporter profile configuration
You can target one or more directories for auditing by selecting the appropriate button:
- Add single directory: Browse the local computer for a single folder
- Import directory list: Feed in a text file with a single column of directory paths
- Find shares: Browse the local computer or a remote system to enumerate and select SMB file shares (including administrative shares)
The profile configuration process has a number of additional options you can specify, including:
- Resolving group references into their member lists
- Resolving nested groups
- Using alternate Active Directory credentials
- Excluding system directories and reparse points
- Limiting directory search depth
- Adding a custom filter
Click Save, give the configuration a name, select Start the audit, and off you go!
View audit results
I have to say, I enjoy the NTFS Permissions Auditor Folder view interface almost infinitely more than I do the default forms we have in Windows Server and Windows client. For one thing, NTFS Permissions Auditor packs a lot of information into a single form.
Check out the following annotated screenshot of the Folder view form, which I'll then describe in greater detail:
Folder details view
- A: Switch between Folder view and Principal view
- B: Navigate through the directory tree
- C: Folder details
- D: NTFS discretionary access control list (DACL)
- E: Selected security principal details
- F: Basic or advanced NTFS permissions (especially helpful for "special" NTFS permissions!)
Now switch over to the Principal view. Here we can drill down into each security principal (user, group, or special identity) included on the target folder's DACL. Here's a picture:
Principal view
The two biggest questions I ask of my NTFS file system resources are:
- Which permissions are inherited vs. explicitly defined?
- Which account owns this particular file system resource?
As you can see, between the two NTFS Permissions Auditor views, you can answer those questions quickly and easily.
Generate a report
Next, let's turn our attention to output deliverables. Navigate to the Export tab and click the appropriate Export button to create a report of the current Folder or Principal view. Export file formats include the following:
- Microsoft Excel (.xlsx)
- Comma-separated value (.csv)
- Hypertext Markup Language (.html)
- Extensible Markup Language (.xml)
- Portable Document Format (.pdf)
Personally, I prefer the CSV output because I can then import that data into the tools of my choice. You'll see a Customize columns button in the interface as well. I've found this makes my reports much more readable because I'm not cramming too many columns into a predefined layout.
Filtering
You can write filters that allow your auditing to better suit your business requirements. In NTFS Permissions Reporter, navigate to the Filter tab and click New to start one.
Let's say I want to audit a file share or directory structure to meet the following criteria:
- Files with DACL entries containing Marketing department employees
- Folders the AD user Beth Smith owns
Here's a screenshot:
Filter Manager
As you probably observed, your filters can include both NTFS properties and Active Directory schema attributes.
Make sure you notice that both your saved configuration profiles and filters are accessible from drop-down lists on their appropriate NTFS Permissions Auditor ribbon tabs.
Change tracking
Another excellent NTFS Permissions Auditor feature is the ability to compare differences between two different audit runs. Let me use the old "annotated screenshot" approach to make the workflow clear:
Change tracking
A: Expand the History view to get to the controls
B: Browse through the historical record of previous audit runs
C: Select your first and second reports to compare
D: Click Compare to generate the output
E: Review the results, and optionally export reports
Wrap-up
An NTFS Permissions Auditor single administrator license costs $149 USD as of this writing in spring 2018. Given the time the tool is likely to save you, I personally think the tool is worth it.
Subscribe to 4sysops newsletter!
To revisit the Free vs. Pro version differences, only the Pro edition has the audit comparison feature, the ability to customize export fields, advanced filtering, and the ability to export reports larger than 500 rows.
