November 01, 2004

Scripting Security Descriptors in Windows

I stumbled across an interesting document today from Microsoft on how to script security descriptors on Microsoft platforms.

Taken from Microsoft's website...

"Every securable resource on a Microsoft Windows Server operating system has an associated security descriptor that specifies which security principals can access the resource and what actions those security principals can perform on the resource. Security descriptors can be managed by using scripts."

You can get more information information about this document here. There are some really good examples in the document, including scripts to mod file and registry security descriptors. If you are dealing with security on Windows servers, you really need to take some time to read this document (its only 28 pages) and see if you can apply some of this to your day to day operations.

Some useful ways to use this information:

  • Daily scans of critical security perms for files
  • Daily scans of critical security perms for registry settings
  • Tripwire style perm checks by the minute of specific files being monitored
  • Archive backup of perms of critical areas of the server

These seem silly until you realize that being able to script checks for the footprint of perms on a system are VERY useful for audit and analysis purposes. If a process changes your perms, you WANT to know about it. This might be one way of doing that.

Anyways, YMMV. Enjoy. Happy reading!

Posted by SilverStr at November 1, 2004 02:34 PM | TrackBack
Comments

Very cool! That is similar to what you can do with SQL Server to script the checking of data schemas for changes compared to a base schema.

Posted by: Robert Hurlbut at November 1, 2004 03:06 PM