-
Notifications
You must be signed in to change notification settings - Fork 0
/
write-only-once-fileshare.ps1
82 lines (67 loc) · 4.49 KB
/
write-only-once-fileshare.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
Set-Strictmode -version 2.0
#Requires –Version 3
# List WellKnownSids
# [Enum]::GetNames([Security.Principal.WellKnownSidType])
# Translate WellKnownSids
#[Enum]::GetNames([Security.Principal.WellKnownSidType]) | % {
# try{ (New-Object Security.Principal.SecurityIdentifier([Security.Principal.WellKnownSidType]::$_, $null)).Translate([Security.Principal.NTAccount]).Value } catch {}
#}
# test with sysinternals psexec - https://technet.microsoft.com/en-us/sysinternals
# as user local system (Domain Computer) try to copy a file to the share, it should work
# but only once
# psexec -i -s cmd.exe
# echo test > test.txt
# copy test.txt \\fileshare\acltest
# 1 file(s) copied.
# copy test.txt \\fileshare\acltest
# Access is denied.
# 0 file(s) copied.
$writeOnlyAccount="Domain Computers" # Domain Users is a bad idea, because every user is member of Domain Users, so the Administrator who should be able to read the files
# other groups not including the ReadWriteAccount are fine
$ReadWriteAccount="Domain Admins"
$writeOnlyAccount=New-Object System.Security.Principal.NTAccount($writeOnlyAccount)
$ReadWriteAccount=New-Object System.Security.Principal.NTAccount($ReadWriteAccount)
$everyone= New-Object Security.Principal.SecurityIdentifier([Security.Principal.WellKnownSidType]::WorldSid, $null)
$everyoneStr=$everyone.Translate([Security.Principal.NTAccount]).Value
$folder = "c:\temp\acltest"
mkdir $folder -ErrorAction SilentlyContinue
New-SmbShare -Name "acltest" -path $folder –FullAccess $everyoneStr
$objACL = New-Object System.Security.AccessControl.DirectorySecurity # empty ACL
$colRights = [System.Security.AccessControl.FileSystemRights]"DeleteSubdirectoriesAndFiles, Modify, ChangePermissions, TakeOwnership" # full control
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$objType =[System.Security.AccessControl.AccessControlType]::Deny
$objUser = $writeOnlyAccount
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL.AddAccessRule($objACE)
$colRights = [System.Security.AccessControl.FileSystemRights]"ReadData, CreateFiles, Synchronize"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = $writeOnlyAccount
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL.AddAccessRule($objACE)
$colRights = [System.Security.AccessControl.FileSystemRights]"FullControl"
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = $ReadWriteAccount
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
$objACL.AddAccessRule($objACE)
$isProtectedFromInheritance=$true
$preserveInheritance=$false
$objACL.SetAccessRuleProtection($isProtectedFromInheritance,$preserveInheritance)
$objUser = $ReadWriteAccount
$objACL.SetOwner($objUser)
$everyone= New-Object Security.Principal.SecurityIdentifier([Security.Principal.WellKnownSidType]::WorldSid, $null)
$colRights = [System.Security.AccessControl.FileSystemRights]"DeleteSubdirectoriesAndFiles, Modify, ChangePermissions, TakeOwnership"
$AuditFlag = [System.Security.AccessControl.AuditFlags]::Success -bor [System.Security.AccessControl.AuditFlags]::Failure
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objACE = New-Object System.Security.AccessControl.FileSystemAuditRule($everyone,$colRights,$InheritanceFlag,$PropagationFlag,$AuditFlag)
$objACL.SetAuditRule($objACE)
Set-ACL $folder $objACL
$acl=Get-ACL $folder -audit # without audit parameter you only get access ACLs
$acl.Owner
$acl.access
$acl.audit