Tool to check fileshare permissions on old systems.

I have been working on security project recently. One of the tasks covers checking file share permissions on older systems.

function Get-ShareAccessPermissions{
        <#
        .SYNOPSIS
        Gets share sccess permissions.
        .DESCRIPTION
        Gets share sccess permissions.
        The tool is designed for older Windows systems as the new ones have a dedicated Get-SmbShareAccess Cmdlet
        .EXAMPLE
        PS C:\TMP> Get-ShareAccessPermissions
        
        MachineName Share  Path                              Domain       ID                  Permission  ACEType
        ----------- -----  ----                              ------       --                  ----------  -------
        P1          print$ C:\Windows\system32\spool\drivers              Everyone            Read        Allow
        P1          print$ C:\Windows\system32\spool\drivers BUILTIN      Administrators      FullControl Allow
        P1          tmp    C:\tmp                            P1           Admin               FullControl Allow
        P1          tmp    C:\tmp                            NT AUTHORITY Authenticated Users Change      Allow
        P1          tmp    C:\tmp                                         Everyone            Read        Allow
        #> 

        [CmdLetBinding()]
        Param(
            [string[]]$ComputerName= $env:COMPUTERNAME
        )


        BEGIN{}
        Process{
            ForEach($Comp in $ComputerName){
                
                
                $Info = Invoke-Command -ComputerName $Comp -EA 0 -ScriptBlock {

                            $ShareSec = Get-WmiObject Win32_LogicalShareSecuritySetting

                            ForEach ($ShareSecurity in ($ShareSec)) {
                                $Path = Get-WmiObject win32_share -filter "name='$($ShareSecurity.name)'"  
                                ForEach ($DACL in $ShareSecurity.GetSecurityDescriptor().Descriptor.DACL)  {    

                                    [PSCustomObject]@{
                                        MachineName = $ShareSecurity.PSComputerName
                                        Share = $ShareSecurity.Name
                                        Path = $Path.Path    
                                        Domain = $DACL.Trustee.Domain    
                                        ID = $DACL.Trustee.Name    
                                        Permission = switch ( $DACL.AccessMask  ) { 1179817{ "Read" }; 1245631{ "Change" }; 2032127{"FullControl"}}  
                                        ACEType = switch ( $DACL.AceType ) { 0{ "Allow" }; 1{ "Deny" }} 

                                    }
                                }
                            }
                        } | Select-Object MachineName, Share, Path, Domain, ID, Permission, ACEType
                
                IF($Info){$Info}ELSE{                   
                
                        $ShareSec = Get-WmiObject Win32_LogicalShareSecuritySetting -Computername $Comp

                        ForEach ($ShareSecurity in ($ShareSec)) { 
                            $Path = Get-WmiObject win32_share -filter "name='$($ShareSecurity.name)'"
                            ForEach ($DACL in $ShareSecurity.GetSecurityDescriptor().Descriptor.DACL)  {    
                                
                                [PSCustomObject]@{
                                    MachineName = $ShareSecurity.PSComputerName
                                    Share = $ShareSecurity.Name
                                    Path = $Path.Path      
                                    Domain = $DACL.Trustee.Domain    
                                    ID = $DACL.Trustee.Name    
                                    Permission = switch ( $DACL.AccessMask  ) { 1179817{ "Read" }; 1245631{ "Change" }; 2032127{"FullControl"}}  
                                    ACEType = switch ( $DACL.AceType ) { 0{ "Allow" }; 1{ "Deny" }}
                                }
                            }
                        }
                    }                                           
            }
        }
        END{}
}

Leave a Reply

Your email address will not be published. Required fields are marked *