Getting a security descriptor

When Get-Acl is used, the object that it gets is a security descriptor. The security descriptor includes a set of control information (ownership, and so on), along with the discretionary and system access control lists.

The WMI class Win32_LogicalShareSecuritySetting is used to represent the security for each of the shares on a computer:

$security = Get-CimInstance Win32_LogicalShareSecuritySetting -Filter "Name='WmiPerms'"

The security settings object can be used to retrieve a security descriptor by calling the GetSecurityDescriptor method:

$return = $security | Invoke-CimMethod -MethodName GetSecurityDescriptor 
$aclObject = $return.Descriptor

The security descriptor held in the aclObject variable is very different from the result returned by Get-Acl:

PS> $aclObject

ControlFlags   : 32772
DACL           : {Win32_ACE}
Group          : 
Owner          : 
SACL           : 
TIME_CREATED   : 
PSComputerName :

The DACL, or discretionary access control list, is used to describe the permission levels for each security principal (a user, group, or computer account). Each entry in this list is an instance of Win32_ACE:

PS> $aclObject.DACL

AccessMask              : 1179817
AceFlags                : 0
AceType                 : 0
GuidInheritedObjectType : 
GuidObjectType          : 
TIME_CREATED            : 
Trustee                 : Win32_Trustee
PSComputerName          :

The Win32_ACE object has a Trustee property that holds the Name, Domain, and SID of the security principal (in this case, the Everyone principal):

PS> $aclObject.DACL.Trustee

Domain : 
Name : Everyone
SID : {1, 1, 0, 0...}
SidLength : 12
SIDString : S-1-1-0
TIME_CREATED : 
PSComputerName :

AceFlags describes how an ACE is to be inherited. As this is a share, the AceFlags property will always be 0. Nothing can, or will, inherit this entry; .NET can be used to confirm this:

PS> [System.Security.AccessControl.AceFlags]0
None

The AceType is either AccessAllowed (0) or AccessDenied (1). Again, .NET can be used to confirm this:

PS> [System.Security.AccessControl.AceType]0
AccessAllowed

Finally, the AccessMask property can be converted into a meaningful value with .NET, as well. The access rights that can be granted on a share are a subset of those that might be assigned to a file or directory:

PS> [System.Security.AccessControl.FileSystemRights]1179817
ReadAndExecute, Synchronize

Putting this together, the entries in a shared DACL can be made much easier to understand:

using namespace System.Security.AccessControl 
 
$aclObject.DACL | ForEach-Object { 
    [PSCustomObject]@{ 
        Rights   = [FileSystemRights]$_.AccessMask 
        Type     = [AceType]$_.AceType 
        Flags    = [AceFlags]$_.AceFlags 
        Identity = $_.Trustee.Name 
    } 
}

In the preceding example, the domain of the trustee is ignored. If this is something other than Everyone, it should be included.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.97.157