List all shares with Everyone having FullControl access

Written July 25th, 2011 by
Categories: Server Management
Tags: , , , , ,
No Comments »

Ever wonder how many users grant full control to Everyone on shares they created? This opens a huge risk, as any virus/worm can write itself to these shares, given the NTFS permissions allow them as well. At any rate, I don’t think it’s a good idea, so I scripted it out and found something like 470 shares where Everyone was granted FullControl access in my environment. OUCH!


Keep in mind, this also shows printers. I didn’t take the time to exclude them, so my script actually finds ~620 vulnerable shares.

For logging, just change $script:logfile = "D:\everyoneshares.txt" to whatever location you wish.

If you want to see more than just Full Control, change if (($AccessMask -eq "FullControl") -AND ($myshare.ID -eq "Everyone")){$script:mylist += $myshare} to match your desired output.

It also ignores any share that ends with a $ (administrative or hidden shares), change $shares = gwmi Win32_LogicalShareSecuritySetting -co $comp -erroraction silentlycontinue |? {$_.Name -notlike "*$"} to $shares = gwmi Win32_LogicalShareSecuritySetting -co $comp -erroraction silentlycontinue and it will look at ALL shares.

Now here’s the code:

#OU Locations, make sure the index is in order, 1, 2, 3, etc.
#you cannot have 3 without 2, etc.
$ous = @{}
$ous[1] = 'LDAP://OU=Servers,DC=domain,DC=com'
$ous[2] = 'LDAP://OU=Another OU,DC=domain,DC=com'
$ous[3] = 'LDAP://OU=Domain Controllers,DC=domain,DC=com'

#set logfile directory
$script:logfile = "D:\everyoneshares.txt"

#This pulls all computer accounts from AD
function getresults($path,$cert) {
	$objDomain = New-Object System.DirectoryServices.DirectoryEntry
	$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
	$objSearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry($path)
	$objSearcher.PageSize = 1000 # How many to retrieve at a time. Not output size.
	$objSearcher.Filter = $strFilter
	$objSearcher.PropertiesToLoad.Add("cn") >$null

	$colResults = $objSearcher.FindAll()
	foreach ($objResult in $colResults)
	{
	  $objItem = $objResult.Properties
	  $computer =  $objItem.cn[0]
	  $computer = $objItem.cn
	  $script:comps += $computer
  	}
}

#This runs the getresults function for each OU supplied above
$script:comps = @()

foreach ($ou in 1 .. $ous.Count) {
		if ($ous.$ou) {
			$strFilter = "(&(objectClass=Computer))"
			getresults $ous.$ou
		}
}

$comps = $script:comps | Sort name
$script:mylist = @()
write-host `n
foreach ($comp in $comps) {#1


#here's where we actually pull each share from the current computer
    $shares = gwmi Win32_LogicalShareSecuritySetting -co $comp -erroraction silentlycontinue |? {$_.Name -notlike "*$"} 
    if($shares){#2
    foreach ($share in $shares){#3
        $SecurityDescriptor = $Share.GetSecurityDescriptor()
		
		ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL)
		{#4
			$myshare = "" | Select Server, Share, ID, AccessMask
            $myshare.Server = $comp
            $myshare.Share = $share.name
			$myshare.ID = $DACL.Trustee.Name
			Switch ($DACL.AccessMask)
			{#5
				2032127 {$AccessMask = "FullControl"}
				1179785 {$AccessMask = "Read"}
				1180063 {$AccessMask = "Read, Write"}
				1179817 {$AccessMask = "ReadAndExecute"}
				-1610612736 {$AccessMask = "ReadAndExecuteExtended"}
				1245631 {$AccessMask = "ReadAndExecute, Modify, Write"}
				1180095 {$AccessMask = "ReadAndExecute, Write"}
				268435456 {$AccessMask = "FullControl (Sub Only)"}
				default {$AccessMask = $DACL.AccessMask}
			}#5
			$myshare.AccessMask = $AccessMask
			
            if (($AccessMask -eq "FullControl") -AND ($myshare.ID -eq "Everyone")){$script:mylist += $myshare}
            
			Clear-Variable AccessMask -ErrorAction SilentlyContinue
    	}#4
      }#3
    }#2
}#1
$mylist | out-file $script:logfile
$count = $mylist.count
write-output `n "found $count shares where Everyone was given FullControl" | out-file $script:logfile -append
write-host `n

I pieced this together from a few things I found on the net (querying AD and Shares), then combined the two and added logfile output.

I recommend using Start-Job for this, and get-job to see if it’s finished. You don’t need to provide any input, and depending on your environment size, it could take quite some time. Here’s the expected output:


Server                                       Share                                        ID                                           AccessMask                                  
------                                       -----                                        --                                           ----------                                  
Server-1                                     Share-1                                      Everyone                                     FullControl                                 




found 1 shares where Everyone was given FullControl

Tags: , , , , ,

« Add domain group to local administrator group in Windows using PowerShellFunction to list all VMs with Snapshots »
// // // //

Recent Posts

Categories

Archives

Tags

$host.ui.PromptForCredential 4.1 blade blades blade servers chassis Cisco Cisco UCS cluster DDR3 Dell Disaster Recovery ESX ESXi ESXi 5 hba HP m1000e nehalem nexus nexus 4000 openssl osd powercli powershell rescan san booting SCCM Scripts Server srm storage vmotion switch ucs UUID VB.NET vcenter vcli vmfs VMware vmworld vSphere vSphere 5.1 Windows 8 WWN

Admin

Designed by ThepHuck
Wordpress Themes
Scroll to Top