.

tools ot Modify DACL of remote machine

<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Mon Dec 19, 2011 3:59 am

tools ot Modify DACL of remote machine

HI,
I m bit in a situation where most of the machines has been reported with services installed by business applications with improper DACl permissions.
Authenticated Users may change the configuration of service. looking for the tool \ solution to apply the DACL permissions  remotely.

Thanks in advance
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Dec 19, 2011 9:26 am

Re: tools ot Modify DACL of remote machine

Powershell might work so long as you have local admin rights to the system.  There are also some GPO tools as well.
Certs: GCWN
(@)Dewser
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Dec 19, 2011 11:32 am

Re: tools ot Modify DACL of remote machine

If you can't use Powershell, psexec and icacls should do the trick.
The day you stop learning is the day you start becoming obsolete.
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Mon Dec 19, 2011 5:31 pm

Re: tools ot Modify DACL of remote machine

dynamik wrote:If you can't use Powershell, psexec and icacls should do the trick.


Yep - these can all do it. If you don't have powershell, figure out what the ACL should look like, write out the icacls.exe command & variables, then save it in a batch file and script it out to the other boxes.

What OS(es) are involved? All W2K3?
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Tue Dec 20, 2011 12:37 am

Re: tools ot Modify DACL of remote machine

Thanks for the reply...
All the reported boxes are windows Xp Sp3
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Tue Dec 20, 2011 9:48 am

Re: tools ot Modify DACL of remote machine

If you're just trying to add:
psexec \\srvName icacls.exe D:\temp\* /grant user-name:(D,GR,X)

Obviously it will need a little tweaking w/ the switches but this should do you for a starter.
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Tue Dec 20, 2011 11:08 pm

Re: tools ot Modify DACL of remote machine

Thanks for the response.
Currently i m using subinacl.exe for fixing the dacl permission of Services.
This sounds to be good tool to fix the permission of services.
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Tue Sep 18, 2012 1:06 am

Re: tools ot Modify DACL of remote machine

Since the SUBINACL is working fine...looking for proactive solutions via Group policy...ANy suggestions....
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Sep 18, 2012 1:50 am

Re: tools ot Modify DACL of remote machine

The day you stop learning is the day you start becoming obsolete.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Tue Sep 18, 2012 10:36 am

Re: tools ot Modify DACL of remote machine

I have a few of these scripts in Powershell I posted to my blog at http://sentinel24.com/blog/?page_id=51 . One example recurses through a file structure and adds permissions for a user

(FYI - I use the long form for Powershell syntax when writing tutorials but you can make this much shorter using gci, gwmi, ft, etc)

  Code:
Get-ChildItem -recurse * | ForEach-Object -process { $_.FullName } | % { c:\subinacl.exe /file $_ /grant=domain\username=F}


Obviously this won't work for services, so how to accomplish the same thing?

First I want to enumerate services, but I want to sort based on startmode and name and suppress everything except for the service name. (no status or table headers for example)

  Code:
Get-WmiObject -computer computername win32_service | sort startmode, displayname | Format-Table -property Displayname -HideTableHeaders


I'm not 100% sure what you are hoping to accomplish here, but if you wanted to add an account entry for each of those you can combine the 2 scripts into something like

  Code:
Get-WmiObject -computer computername win32_service | sort startmode, displayname | Format-Table -property Displayname -HideTableHeaders | ForEach-Object -process { $_.FullName } | % { "C:\Program Files\Windows Resource Kits\Tools\subinacl.exe /service $_ \\computername\$_ /grant=domain\username=F"}


http://ss64.com/nt/subinacl.html has additional subinacl syntax and is what I used when writing the scripts at my blog.

*Edit* While my way is more fun (I am addicted to making Powershell 1 liners!), I'd suggest checking out ajohnson's suggestion as that's probably closer to what you are looking for. :)
Last edited by tturner on Tue Sep 18, 2012 10:54 am, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software