使用 C# 获取服务器和映射驱动器的 ACL 列表

发布于 2024-07-14 03:12:49 字数 2002 浏览 13 评论 0原文

我们 IT 团队的生产变更实施者的任务是审查我们团队中所有不同对象的安全性,主要是为了确保离开我们工作或调到其他团队的人员不再能够访问我们的服务器共享、Web 目录、sql 数据库等。我们最近完成了 SQL 部分,并且我们有一个可重用的脚本,可以每年运行一次(或以我们提出的任何频率运行)。 它运行得很好,我们在几分钟内审核了 10 台左右服务器上的 20 个数据库。

现在,关于服务器的事情。 我有一个使用 .NET 2.0 用 C# 编写的应用程序,它将递归扫描目录列表并将 ACL 转储到文本文件。 这效果非常好。 在本地机器上。 UNC 和映射路径不起作用,我收到以下异常消息:该进程不拥有此操作所需的“SeSecurityPrivilege”权限。

在这一行中:

DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.All);

其中 di 是从 DirectoryInfo[] 数组中枚举的 DirectoryInfo 对象。

我们不太可能被授予 SeSecurityPrivilege 权限。 但我认为这没有必要。 我可以打开该文件夹并右键单击属性,然后单击安全选项卡并在 GUI 中查看它。 我应该也能够以编程方式访问它。

关于如何更改这部分代码以获得目标文件夹的权限有什么想法吗?

private void CheckSecurity(DirectoryInfo[] DIArray)
{
    foreach (DirectoryInfo di in DIArray)
    {
        DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.All);
        string sAccessInfo = string.Empty;

        foreach (FileSystemAccessRule FSAR in DirSec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
        {
            sAccessInfo += GetAceInformation(FSAR);
        }

        if (sAccessInfo != string.Empty)
        {
            // Write info to text file
        }
    }
}

private string GetAceInformation(FileSystemAccessRule ace)
{
    StringBuilder info = new StringBuilder();
    string line = string.Format("Account: {0}", ace.IdentityReference.Value);
    info.AppendLine(line);
    line = string.Format("Type: {0}", ace.AccessControlType);
    info.AppendLine(line);
    line = string.Format("Rights: {0}", ace.FileSystemRights);
    info.AppendLine(line);
    line = string.Format("Inherited ACE: {0}", ace.IsInherited);
    info.AppendLine(line);
    return info.ToString();
}

编辑: 当获取根文件夹的“GetAccessControl()”方法失败时,如何检查远程文件夹的 ACL 中的读取属性? (如果我传入 \server\path,则获取 \server\path 的信息时会出错)。

用户帐户是域帐户,我有权读取文件结构。 我可以从文件夹/文件的属性中查看安全性。

我将检查进程监视器,但我不确定是否能够在服务器上运行它(我不是相关服务器的管理员)。

The production change implementers for our IT group have been tasked with reviewing the security for all of the various objects in our group, primarily to make sure that people who have left our employ or have transferred to other groups no longer have access to our server shares, web directories, sql databases, etc etc. We recently completed the SQL portion and we have a re-usable script that can be run annually (or at whatever frequency we come up with). It worked great and we audited 20 databases across 10 or so servers withing a few minutes.

Now, for the server stuff. I have an application that I wrote in C# using .NET 2.0 that will recursively scan a list of directories and dump the ACLs to a text file. This works excellent. On the local machine. UNC and Mapped paths do not work, I get the following exception message: The process does not possess the 'SeSecurityPrivilege' privilege which is required for this operation.

On this line:

DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.All);

Where di is a DirectoryInfo object enumerated from a DirectoryInfo[] array.

We are not likely going to be able to be granted the SeSecurityPrivilege privilege. However I don't think this should be necessary. I can open the folder and right click for properties and click the security tab and view it in the GUI. I should be able to access it programmatically as well.

Any thoughts on how I can change this section of code to get the permissions for the targeted folder?

private void CheckSecurity(DirectoryInfo[] DIArray)
{
    foreach (DirectoryInfo di in DIArray)
    {
        DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.All);
        string sAccessInfo = string.Empty;

        foreach (FileSystemAccessRule FSAR in DirSec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
        {
            sAccessInfo += GetAceInformation(FSAR);
        }

        if (sAccessInfo != string.Empty)
        {
            // Write info to text file
        }
    }
}

private string GetAceInformation(FileSystemAccessRule ace)
{
    StringBuilder info = new StringBuilder();
    string line = string.Format("Account: {0}", ace.IdentityReference.Value);
    info.AppendLine(line);
    line = string.Format("Type: {0}", ace.AccessControlType);
    info.AppendLine(line);
    line = string.Format("Rights: {0}", ace.FileSystemRights);
    info.AppendLine(line);
    line = string.Format("Inherited ACE: {0}", ace.IsInherited);
    info.AppendLine(line);
    return info.ToString();
}

Edit:
How would I check the remote folder for the read attrib in the ACL when it fails on getting the "GetAccessControl()" method for the root folder? (If I pass in \server\path, it errors on getting the info for \server\path).

The user account is a domain account and I have permissions to read the file structure. I can view the security from the properties of the folder/files.

I will check out the process monitor but I am not sure that I am going to be able to run it on the server (I am not an admin on the server(s) in question).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

烟火散人牵绊 2024-07-21 03:12:49

您由于“审核”选项卡而收到错误,尽管我相当确定您真正想要在屏幕上访问的是“权限”选项卡上的数据。 SeSecurityPrivilege 控制对 SACL 的访问。

尝试更改

DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.All);

DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.Access);

然后你应该停止收到错误

Your getting the error because of the 'Auditing' tab, though I'm fairly sure all you really want to access on the screen is the data on the 'Permissions' tab. The SeSecurityPrivilege controls the access to the SACL.

Try changing

DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.All);

to

DirectorySecurity DirSec = di.GetAccessControl(AccessControlSections.Access);

then you should stop getting the error

一个人的旅程 2024-07-21 03:12:49

检查远程文件夹是否授予运行 ACL 中代码读取属性的用户。

另请记住,权限是在远程(服务器)计算机上解析的,因此本地组(用户和管理员)成员身份可能不包括在客户端上运行的用户帐户。

在服务器上运行进程监视器(已过滤到有问题的文件夹/文件)可能有助于解决失败原因的详细信息。

Check that the remote folder grants the user running the code Read Attributes in the ACL.

Also remember that the permissions are resolved on the remote (server) machines, so local group (Users and Administrators) membership may not include the user account running on the client.

Having Process Monitor running on the server (filtered to the folders/files in question) may help resolve details of why it is failing.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文