Using MACE to keep track of file share permissions
This will be categorized into the “Securing my network” project shortly
The Management of Access Control in the Enterprise (MACE) Microsoft Research project enables you to easily collect permission structures of NTFS and POSIX file systems that are accessible locally (recommended), via SMB or likely other RDBSS redirectors (the Data Collector role), transfer and store the reports in a Microsoft SQL Server databsae, and retrieve them to produce reports that you can disperse (the Data Visualizer role).
I will be following the readme file that is included in the MACE package.
The Data Collector Role:
On the system you will be using to scan directories:
– .NET framework 3.5+
– Testing revealed that it is untrue that the system must be running Windows Server 2008+
The Data Visualizer Role:
On the system you will be using to produce reports:
– SQL Server Express 2008 R2+ (local or remote)
– .NET framework 4.0+
Download and Install:
1) Obtain the latest MACE package from Microsoft Research and expand the ZIP.
2) On the computer that is going to be assigned the Data Collector role, after installing the previously mentioned prerequisites, run the following and “Next” (to install for any user who’s logged on):
msiexec /qb /i SetupCollector.msi ALLUSERS=2
3) On the computer that is going to be assigned the Data Visualizer role, after installing the previously mentioned prerequists, run the follow and “Next” (to install for any user who’s logged on):
msiexec /qb /i SetupMACE.msi ALLUSERS=2
Configure and run the data collector:
The Data Collector MUST be configured using an .NET settings type XML file in order to run properly.
1) Open the following file in a text editor:
%programfile%\Microsoft Research\MACE\Data Collector\DataCollector.exe.config
2) The following describes the keys and their values:
|FileSystemRootList||Directories or drive letters to scan. Semi-colon separated list. Case-sensitive. Required.|
|UserRootGroup||Restrict groups to scan for. Semi-colon separated list. Not Required/can be left blank.|
|DefaultDomainSuffix||FQDN of top-level domain. Required.|
|EnableFCIDataCollection||Collect info from files’ alternate data streams for file classification infrastructure (FCI). Required.|
|LocalGroupExceptionsList||Names of local groups that will be excluded. Try “nt service;nt authority;iis apppool”. Semi-colon separated list. Not Required/can be left blank.|
|OrgGCPath||Path to the root designated name for your AD structure (“the most commoin global catalog path in the enterprise”), given in the following format: GC://DC= . Required.|
|OrgDomainsFQDN||FQDN(s) of domain(s) to include in the scan. Semi-colon separated list. Required.|
|LDAPPort||Provide a port for the LDAP server. Usually 389, as it appears MACE doesn’t support TLS. Required.|
3) Run the Data Collector:
%programfiles%\Microsoft Research\MACE\Data Collector\DataCollector.exe
4) Output of scan:
Within the working directory of the datacollector.exe process (%programfiles%\Microsoft Research\MACE\Data Collector\) there will be several files:
|[hostname]_[groups]_[date]-ep.txt||Contains directory, file list and ACLs.|
|hostname]_[groups]_[date]-group.txt||Contains user and group information.|
|hostname]_[groups]_[date]-errors.txt||If exists, then there were minor errors.|
|Fatalerrors.txt||If exists, then there were critical errors.|
Common errors include:
AuthzInitializeContextFromSid failed with 1317
Taking a look:
C:\>net helpmsg 1317 The specified user does not exist.
Configure and run the data visualizer:
Note that the visualizer doesn’t appear to be able to create a Windows form until the data collector has finished
1) Open the Data Visualizer:
%programfile%\Microsoft Research\MACE\Data Visualizer\Microsoft.Research.Data.UI.exe
2) Create the database server connection:
a) Under “Server & Database” on the left side, click the “Servers” dropdown and select “New Server”
b) Provide the Server name (such as: “[hostname]\SQLEXPRESS”)
c) The connection will not be listed in the “Servers” dropdown.
3) Create the database:
a) Under “Server & Database” on the left side, click the “Servers” dropdown and select the server connection you created in Step 2.
b) Beneath the “Servers” dropdown, select the “Databases” dropdown and click “New Database”.
c) Provide the following information:
Database Name: MACE Load Effective Permissions File: [find the *-ep.txt file produced by the Data Collector, must be located on a local drive] Load Groups File: [find the *-group.txt file produced by the Data Collector, must be located on a local drive]
d) Click OK and allow the Data Visualizer time to render the results.
Running a query:
The UI is deceivingly straight forward.
The bottom tab is hidden by default and will contain FCI entries for the selected directory in the right most pane.
You can not pivot a query against multiple fields, but only run a query against a single entity (out of the three entities available).
The use of the empty red square icon is very confusing. It’s noted as “No access, by virtue of no ACE found,” but it really means, “Has access by virtue of inherited group permission, no explicit ACE found”.
If you are pivoting a directory, and there are entries absent from the “Users and their Memberships” or “Groups and their Members,” it means there are no entries present at all.
Export to Excel:
The Export to Excel function requires a local copy of Excel.
I’ve written to the email address inquiring about providing additional exportation formats (even implementing an open XLSX exporter).
Comparing two EP and GROUP snapshots:
Currently, your best bet is to save the *-ep.txt and *-group.txt files for comparison.
1) Move the files out of the directory:
mkdir "%programfiles%\Microsoft Research\MACE\Data Collector\shot1" mv "%programfiles%\Microsoft Research\MACE\Data Collector\*-ep.txt" "%programfiles%\Microsoft Research\MACE\Data Collector\shot1\*-ep.txt" mv "%programfiles%\Microsoft Research\MACE\Data Collector\*-group.txt" "%programfiles%\Microsoft Research\MACE\Data Collector\shot1\"
2) Take another snapshot with Data Collector.
3) Diff the ep files using diff or this cool diff tool:
diff.exe SERVER__2_5_2013-group.txt SERVER__2_6_2013-group.txt if %errorlevel%==1 cscript sendmail.vbs /from:firstname.lastname@example.org /to:email@example.com /subject:"MACE: a permission change took place" /body:"%computername% shared folder SHARE has had a permission change. Review the files with the Data Visualizer."
diff html tool: (todo: parse the date, accept arguments as files, note: this diff returns immediately, before generating the file, so we sleep)
del /q /f %temp%\diffhtml.html del /q /f %temp%\output.html diffhtml SERVER__2_5_2013-ep.txt SERVER__2_6_2013-ep.txt %temp%\output.html .\gnucoreutils\bin\sleep 120 set _diffhtmlout=0 .\gnucoreutils\bin\grep "Files are identical" %temp%\output.html | .\gnucoreutils\bin\wc -l > %temp%/diffhtmltest.log set /p _diffhtmlout= < %temp%/diffhtmltest.log if %_diffhtmlout%==0 ( .\gnucoreutils\bin\sed "s/<\/tr>/<\/tr>\n/g" %temp%\output.html >> %temp%\tmp.html .\gnucoreutils\bin\head -n 30 %temp%\tmp.html >> %temp%\diffhtml.html .\gnucoreutils\bin\grep class='C' %temp%\tmp.html >> %temp%\diffhtml.html .\gnucoreutils\bin\grep class='A' %temp%\tmp.html >> %temp%\diffhtml.html .\gnucoreutils\bin\grep class='D' %temp%\tmp.html >> %temp%\diffhtml.html echo ^</table^> ^</td^>^</tr^> >> %temp%\diffhtml.html echo ^</table^> >> %temp%\diffhtml.html echo ^</HTML^> >> %temp%\diffhtml.html del /q /f %temp%\tmp.html %temp%\output.html %temp%/diffhtmltest.log ) if %_diffhtmlout%==0 cscript sendmail.vbs /from:firstname.lastname@example.org /to:email@example.com /subject:"MACE: a permission change took place" /body:"A folder on %computername% has had a permission change. Review the files with the Data Visualizer." /attachment:%temp%\diffhtml.html
4) This should be more commonly used to focus your search rather than as an actual source of information. The numbers are contrived and only useful to the algorithm used by the Data Visualizer.