ACL,DACL,SDDL and PACE

Discussion in 'other software & services' started by Sully, Jun 29, 2009.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If you know what these are, can you recommend a good program to view them in, per directory or file? Registry would be nice too, maybe services, but that may be asking a lot. Freeware please, or 30 day trial versions would also work.

    Using the builtin security tool of windows is extremely slow. Some stipulations. It must show all values that you would see in security tool, such as Propogate to children and Inherit etc. It must show owners. It would be nice to also show conatiner_inherit, inherit_ace_only, etc values.

    Using on local machine, no network. Viewing compositly or with a handy treeview would do nice. Also exporting as text in an easier to read output than say subinacl does. Of interest if you open security & config analyzer or sec templates snap-in, not all options you see from the security tool are visible, thus the need for something better.

    Perhaps someone has a script to parse the dumps from secedit/subinacl or similar?

    Sul.
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Thanks.

    The parser might be of some use. Secedit, I will see if the parser can pull out what I need. Right now I am deep into SDDL and effect on different things, as well as implentation via script that does not require subinacl, although that remains to be seen.

    What I am really looking for is an ACL browser of sorts, where I can enter a combination and permutation of all available DACL flags as well as PACE's, to see exactly what will happen to existing structures, as well create structures with those SDDL, and how each effects differning inheritance and ownership. SDDL is documented, but the documentation leaves out a lot of things that actually happen. There are many good blogs, but they also use PowerShell or .net, where I am seeking a more built-in approach. lol, as usual I am looking for a backdoor into templates which allow a much more flexible and robust method intrinsic to the default tools.

    If you understand that, perhaps you know of an ACL browser that can give me whole directory/file data on the side, so that I can get a GUI picture of it all, especially as I script the new objects/containers to be created in different methods.

    Thanks for taking the time to reply.

    Sul.
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Maybe some of these might help:

    Hyena
    Security Explorer
    AccessEnum
    AccessChk
    SetACL
    FileACL
    DumpSec
    XCACLS
    CACLS
    iCACLS
     
Thread Status:
Not open for further replies.