Windows: How to Detect Excessive User Permissions on File Servers

Why It is Important

External attacks are not the only cause of security breaches. Practices such as granting permissions to the “Everyone” group or assigning permissions directly instead of through group membership can enable users to access data they shouldn’t be able to access, possibly including sensitive data. Users with excessive permissions can copy, distribute, modify or delete files, which can lead to data loss, data exfiltration, and more. To reduce these risks, IT pros should review permissions granted to the "Everyone" group, as well as all permissions that were granted directly, on a regular basis.

Native Auditing

1. We need to know what folder(s) user "Suspicious" has access to. Run the following script in   Powershell filling up "File Share Path" and ".csv File Name and Path" parameters.

dir -Recurse | where { $_.PsIsContainer } | % { $path``1 = $_.fullname; Get-Acl $_.Fullname | % { $_.access | where { $_.IdentityReference -like ``"Suspicious" } | Add-Member -MemberType NoteProperty -name ``"File Share Path" -Value $path``1 -passthru }} | export-csv ".csv File Name and Path

2. Open created .csv file via Microsoft Excel and check which folders user "Suspicious" has access to.

3. In order to find out other user or group permissions just type the name instead of the word "Suspicious" in the script.

4. Report example:

https://img.netwrix.com/landings/howtofriday/7/Native_tools_exel.png

Credits

Originally Posted - https://www.netwrix.com/how_to_monitor_excessive_permissions_in_everyone_group_on_windows_file_servers.html