Security

How to monitor Windows access control lists at the NTFS level

tgow
Splunk Employee
Splunk Employee

I want to build a security report that lists what directories and files a specified user account has access to by NTFS permission level (Read, Change, Full Control, etc.).

I am looking at running a scripted input using MS Powershell. Is this the right approach?

Tags (2)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

"Best" is very subjective. If you can build a scripted input using Powershell that tells you what to you want to know, then that should work fine.

As I understand your requirement, you're not looking to index audit data (as in who accessed which file when), but rather who, based on permissions, has the potential to access. You might be able to do this simply by running xcacls or a similar NTFS permissions dumptool -- but a powershell script could be more robust.

Ultimately, you may need a small amount of python glue to launch your powershell script, but this should work.

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

"Best" is very subjective. If you can build a scripted input using Powershell that tells you what to you want to know, then that should work fine.

As I understand your requirement, you're not looking to index audit data (as in who accessed which file when), but rather who, based on permissions, has the potential to access. You might be able to do this simply by running xcacls or a similar NTFS permissions dumptool -- but a powershell script could be more robust.

Ultimately, you may need a small amount of python glue to launch your powershell script, but this should work.

View solution in original post