topic Re: How to monitor Windows access control lists at the NTFS level in Security https://community.splunk.com/t5/Security/How-to-monitor-Windows-access-control-lists-at-the-NTFS-level/m-p/69419#M2263 <P>"Best" is very subjective. If you can build a scripted input using Powershell that tells you what to you want to know, then that should work fine. </P> <P>As I understand your requirement, you're not looking to index audit data (as in who accessed which file when), but rather who, based on permissions, has the potential to access. You might be able to do this simply by running xcacls or a similar NTFS permissions dumptool -- but a powershell script could be more robust.</P> <P>Ultimately, you may need a small amount of python glue to launch your powershell script, but this should work.</P> Tue, 29 Mar 2011 04:25:29 GMT dwaddle 2011-03-29T04:25:29Z How to monitor Windows access control lists at the NTFS level https://community.splunk.com/t5/Security/How-to-monitor-Windows-access-control-lists-at-the-NTFS-level/m-p/69418#M2262 <P>I want to build a security report that lists what directories and files a specified user account has access to by NTFS permission level (Read, Change, Full Control, etc.). </P> <P>I am looking at running a scripted input using MS Powershell. Is this the right approach?</P> Tue, 29 Mar 2011 03:51:19 GMT https://community.splunk.com/t5/Security/How-to-monitor-Windows-access-control-lists-at-the-NTFS-level/m-p/69418#M2262 tgow 2011-03-29T03:51:19Z Re: How to monitor Windows access control lists at the NTFS level https://community.splunk.com/t5/Security/How-to-monitor-Windows-access-control-lists-at-the-NTFS-level/m-p/69419#M2263 <P>"Best" is very subjective. If you can build a scripted input using Powershell that tells you what to you want to know, then that should work fine. </P> <P>As I understand your requirement, you're not looking to index audit data (as in who accessed which file when), but rather who, based on permissions, has the potential to access. You might be able to do this simply by running xcacls or a similar NTFS permissions dumptool -- but a powershell script could be more robust.</P> <P>Ultimately, you may need a small amount of python glue to launch your powershell script, but this should work.</P> Tue, 29 Mar 2011 04:25:29 GMT https://community.splunk.com/t5/Security/How-to-monitor-Windows-access-control-lists-at-the-NTFS-level/m-p/69419#M2263 dwaddle 2011-03-29T04:25:29Z