How to audit permissions after a Windows migration

As companies move off Windows 7 and Server 2008, they run the risk of leaving dangerous access permissions behind. Here's how to find them.

A businessman interacts with a Microsoft-colored shield protecting network users + user groups.
Natali Mis / Getty Images

Ransomware often leverages a cracked administrator or local administrator password to gain access across a network, or it sets permissions across a network so that attackers can gain access. That’s why it’s important to manage permissions in Windows carefully.

For example, you might be in the process of migrating to a newer version or recently completed a migration from Windows 7 or Server 2009R2. As part of that process, it’s common to change default permissions to copy files, move data and migrate servers. Have you gone back to make sure you’ve removed all excess permissions once the migration is complete? You might have left a door open for an attacker.

Check permission settings before migrating

Get-Acl is the basic PowerShell command to obtain information about the security of a resource. In legacy networks, NT File System (NTFS) permissions have often been set to looser standards. Unless you’ve audited them, you might not realize how they are set. If you are migrating from an older operating system, the permissions were set for a different era and might need to change.

Before starting a migration process, review the permissions that were set. Start with a PowerShell Get-Acl command to see how the NTFS permissions are set. To review all permissions of all users or groups of users in a network, perform an NTFS Directory Effective Permissions Audit.

Permissions when exporting virtual machines

When exporting virtual machines (VMs), you often must change the permissions to migrate. If you don’t change permissions, you will receive an error message “Failed to copy file from ‘<source path of VHD file>’ to ‘<network share>’: General access denied error (0x80070005)”. Because the system account of the Hyper-V host executes the export, the Hyper-V host does not have permission on the network share. Thus, it’s recommended to change permissions to allow systems to access each other.

Another common option to export resources over a network is using the PsTools from Sysinternals. Follow these steps to ensure you leave no dangerous permissions behind:

  • Install PsTools in the working directory from which you’ll run the next commands.
  • Open an elevated command prompt and accept the User Access Control (UAC) prompt.
  • Run psexec.exe \\<localServerName> /s cmd.exe, which provides you with another command prompt that runs under the system context not your user context.
  • Run the command net use \\<remoteServerName>\<sharename> /user:<domain>\<userName> <password>. This command authenticates the system account across the network to the share to which you need to export the VM.
  • Return to the Hyper-V Microsoft Management Console (MMC) and the export will complete.
  • Once you are done, use the command net use \\<remoteServerName>\<sharename> /delete to remove the credentials from the system account or reboot the computer to remove the permissions.

Permissions when migrating to Office 365

Many organizations are moving files and resources to Office 365. Once you migrate to cloud resources, you can use different tools to review sharing and permissions. NTFS auditing no longer means as much as it did with traditional file shares.

With Microsoft 365 you can review what has been shared with others in OneDrive and SharePoint. Sharing auditing in Office 365 allows the administrator to generate a list of shared resources. To enable this report, go to Microsoft’s Security & Compliance Center and sign in. In the left pane, click on “Search” then click on “Audit log search”. Under “Activities”, click in “Sharing and access request activities” to search for sharing-related events.

bradley permissions 1 Susan Bradley

Office 365 Security and Compliance Center

There you can perform searches ranging from creating access links to sharing the file, folder or site.

bradley permissions 2 Susan Bradley

Audit log search

Review access to SharePoint by searching for a “ViewableByExternalUsers=True” query and “ViewableByAnonymousUsers=true" in the search bar of Office 365. These commands will give you an overview of files or folders that have been shared outside your organization. For a more robust review of access, download the Netwrix Auditor for Office 365 to give you a report of the access of Office 365. They provide a limited community version that you can set up to report on access for your cloud assets and alert you to changes.

Whether you are migrating to on-premises or cloud services, you need to confirm that permissions are set the way you intended. Accidental excess permissions can lead to security events like the exposure of 885 million mortgage records at First American Financial Corporation. A misconfiguration in its web server allowed users to access records that they should not have been able to access. If someone had audited the permissions set on the web server, they may have saved themselves from the headlines. Take the time to review permissions and access to ensure they are set up how you intended them to be.

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!