Using MACE to keep track of file share permissions

This will be categorized into the “Securing my network” project shortly

The Management of Access Control in the Enterprise (MACE) Microsoft Research project enables you to easily collect permission structures of NTFS and POSIX file systems that are accessible locally (recommended), via SMB or likely other RDBSS redirectors (the Data Collector role), transfer and store the reports in a Microsoft SQL Server databsae, and retrieve them to produce reports that you can disperse (the Data Visualizer role).

I will be following the readme file that is included in the MACE package.

Installation prerequisites:

The Data Collector Role:
On the system you will be using to scan directories:
– .NET framework 3.5+
– Testing revealed that it is untrue that the system must be running Windows Server 2008+

The Data Visualizer Role:
On the system you will be using to produce reports:
– SQL Server Express 2008 R2+ (local or remote)
– .NET framework 4.0+

Download and Install:

1) Obtain the latest MACE package from Microsoft Research and expand the ZIP.

2) On the computer that is going to be assigned the Data Collector role, after installing the previously mentioned prerequisites, run the following and “Next” (to install for any user who’s logged on):

msiexec /qb /i SetupCollector.msi ALLUSERS=2

3) On the computer that is going to be assigned the Data Visualizer role, after installing the previously mentioned prerequists, run the follow and “Next” (to install for any user who’s logged on):

msiexec /qb /i SetupMACE.msi ALLUSERS=2

Configure and run the data collector:

The Data Collector MUST be configured using an .NET settings type XML file in order to run properly.

1) Open the following file in a text editor:

%programfile%\Microsoft Research\MACE\Data Collector\DataCollector.exe.config

2) The following describes the keys and their values:

Key

Value

FileSystemRootList

Directories or drive letters to scan. Semi-colon separated list. Case-sensitive. Required.

UserRootGroup

Restrict groups to scan for. Semi-colon separated list. Not Required/can be left blank.

DefaultDomainSuffix

FQDN of top-level domain. Required.

EnableFCIDataCollection

Collect info from files’ alternate data streams for file classification infrastructure (FCI). Required.

LocalGroupExceptionsList

Names of local groups that will be excluded. Try “nt service;nt authority;iis apppool”. Semi-colon separated list. Not Required/can be left blank.

OrgGCPath

Path to the root designated name for your AD structure (“the most commoin global catalog path in the enterprise”), given in the following format: GC://DC= . Required.

OrgDomainsFQDN

FQDN(s) of domain(s) to include in the scan. Semi-colon separated list. Required.

LDAPPort

Provide a port for the LDAP server. Usually 389, as it appears MACE doesn’t support TLS. Required.

3) Run the Data Collector:

%programfiles%\Microsoft Research\MACE\Data Collector\DataCollector.exe

4) Output of scan:

Within the working directory of the datacollector.exe process (%programfiles%\Microsoft Research\MACE\Data Collector\) there will be several files:

File

Contents

[hostname]_[groups]_[date]-ep.txt

Contains directory, file list and ACLs.

hostname]_[groups]_[date]-group.txt

Contains user and group information.

hostname]_[groups]_[date]-errors.txt

If exists, then there were minor errors.

Fatalerrors.txt

If exists, then there were critical errors.

Common errors include:

AuthzInitializeContextFromSid failed with 1317

Taking a look:

C:\>net helpmsg 1317

The specified user does not exist.

Configure and run the data visualizer:

Note that the visualizer doesn’t appear to be able to create a Windows form until the data collector has finished

1) Open the Data Visualizer:

%programfile%\Microsoft Research\MACE\Data Visualizer\Microsoft.Research.Data.UI.exe

2) Create the database server connection:

a) Under “Server & Database” on the left side, click the “Servers” dropdown and select “New Server”
b) Provide the Server name (such as: “[hostname]\SQLEXPRESS”)
c) The connection will not be listed in the “Servers” dropdown.

3) Create the database:
a) Under “Server & Database” on the left side, click the “Servers” dropdown and select the server connection you created in Step 2.
b) Beneath the “Servers” dropdown, select the “Databases” dropdown and click “New Database”.
c) Provide the following information:

Database Name: MACE
Load Effective Permissions File: [find the *-ep.txt file produced by the Data Collector, must be located on a local drive]
Load Groups File: [find the *-group.txt file produced by the Data Collector, must be located on a local drive]

d) Click OK and allow the Data Visualizer time to render the results.

Running a query:
The UI is deceivingly straight forward.
The bottom tab is hidden by default and will contain FCI entries for the selected directory in the right most pane.

You can not pivot a query against multiple fields, but only run a query against a single entity (out of the three entities available).

The use of the empty red square icon is very confusing. It’s noted as “No access, by virtue of no ACE found,” but it really means, “Has access by virtue of inherited group permission, no explicit ACE found”.

If you are pivoting a directory, and there are entries absent from the “Users and their Memberships” or “Groups and their Members,” it means there are no entries present at all.

Export to Excel:
The Export to Excel function requires a local copy of Excel.

I’ve written to the email address inquiring about providing additional exportation formats (even implementing an open XLSX exporter).

Comparing two EP and GROUP snapshots:

Currently, your best bet is to save the *-ep.txt and *-group.txt files for comparison.

1) Move the files out of the directory:

mkdir "%programfiles%\Microsoft Research\MACE\Data Collector\shot1"
mv "%programfiles%\Microsoft Research\MACE\Data Collector\*-ep.txt" "%programfiles%\Microsoft Research\MACE\Data Collector\shot1\*-ep.txt"
mv "%programfiles%\Microsoft Research\MACE\Data Collector\*-group.txt" "%programfiles%\Microsoft Research\MACE\Data Collector\shot1\"

2) Take another snapshot with Data Collector.

3) Diff the ep files using diff or this cool diff tool:

gnu diff:

diff.exe SERVER__2_5_2013-group.txt SERVER__2_6_2013-group.txt
if %errorlevel%==1 cscript sendmail.vbs /from:robot@externaldomain.com /to:mbrown@externaldomain.com /subject:"MACE: a permission change took place" /body:"%computername% shared folder SHARE has had a permission change.  Review the files with the Data Visualizer."

diff html tool: (todo: parse the date, accept arguments as files, note: this diff returns immediately, before generating the file, so we sleep)

del /q /f %temp%\diffhtml.html
del /q /f %temp%\output.html
diffhtml SERVER__2_5_2013-ep.txt SERVER__2_6_2013-ep.txt %temp%\output.html
.\gnucoreutils\bin\sleep 120
set _diffhtmlout=0
.\gnucoreutils\bin\grep "Files are identical" %temp%\output.html | .\gnucoreutils\bin\wc -l > %temp%/diffhtmltest.log
set /p _diffhtmlout= < %temp%/diffhtmltest.log

if %_diffhtmlout%==0 (
.\gnucoreutils\bin\sed "s/<\/tr>/<\/tr>\n/g" %temp%\output.html >> %temp%\tmp.html
.\gnucoreutils\bin\head -n 30 %temp%\tmp.html >> %temp%\diffhtml.html
.\gnucoreutils\bin\grep class='C' %temp%\tmp.html >> %temp%\diffhtml.html
.\gnucoreutils\bin\grep class='A' %temp%\tmp.html >> %temp%\diffhtml.html
.\gnucoreutils\bin\grep class='D' %temp%\tmp.html >> %temp%\diffhtml.html
echo ^</table^> ^</td^>^</tr^> >> %temp%\diffhtml.html
echo ^</table^> >> %temp%\diffhtml.html
echo ^</HTML^> >> %temp%\diffhtml.html
del /q /f %temp%\tmp.html %temp%\output.html %temp%/diffhtmltest.log
)
if %_diffhtmlout%==0 cscript sendmail.vbs /from:robot@externaldomain.com /to:mbrown@externaldomain.com /subject:"MACE: a permission change took place" /body:"A folder on %computername% has had a permission change.  Review the files with the Data Visualizer." /attachment:%temp%\diffhtml.html

4) This should be more commonly used to focus your search rather than as an actual source of information. The numbers are contrived and only useful to the algorithm used by the Data Visualizer.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: