Auditing permissions

Inspired by the CQURE 5 day challenge I’ve decided to document some of the things that I’ve learned from the daily assesments. 🙂

Table of Content

There are some command line tools in windows to check permissions. In the case above we have a file called will_Guest_read_it.txt with both flags „Full Access“ and „Denied“ set on it. That’s a strange case, but possible indeed. And that lead us to the question which permission is stronger?

By typing the following command we get the SDDL of the File:

get-acl "Filepath" |fl

sddl: (A;ID;FA;;;LG) (D;ID;FA;;;LG)

A= Allow
D= Denied
FA= Full Access
LG= Guest Account

Another command to read out file permissions is:

icacls "Filepath"

(I)(F) Full Access
(I)(N) No (Denied)

In that case Allow Full Access wins, because windows goes allways top down in ACL and Full Access comes first!

Another cool thing is to get the numeric values of system rights.


The powershell code below outputs all possible values:

foreach ($right in [System.Enum]::GetNames([System.Security.AccessControl.FileSystemRights])) {
$intValue = [int]([System.Security.AccessControl.FileSystemRights]$right)
Write-Host ("{0,-30} : {1}" -f $right, $intValue)
A good start for auditing permissions can be to work with the following command:
Get-Acl "Folderpath" | Select-Object -ExpandProperty Access

Some repeating questions:

Which OS command allows you to work with file permissions in Windows10?

Can one file have both deny and allow entry for the same user/group on the Access Control list?
Yes with „Advanced“ tab of „File properties“ dialog box in graphical interface. –> wrong
Yes, however it is not easy to make this from graphical userinterface

What happens to a file when it has „allow“ and „deny“ for the same group of ACL?
it depends for the order of ACE in ACL

How can you set file permissions from Powershell?

Do Registry hives have permissions (ACLs)?
Yes with the same rights as files and folders –>wrong
Yes, but with rights different than files and folders

Kommentar hinterlassen

Schreib einen Kommentar

Ihre E-Mail-Adresse wird nicht veröffentlicht.