I am being asked to write a compliance script, part of it being a check against the NTFS permissions for the folder that holds the vCenter certificates to ensure correct access
Has anyone done this? Any ideas how best to tackle this?
Any help appreciated
Thanks
The NTFS permissions on the SSL folder (C:\ProgramData\VMware\VMware VirtualCenter\SSL) are normally inherited from the parent folder.
There could be other permission that come from other components. For example some backup tools run under a service account that also needs some access.
What do you want to check in fact ?
Is there a file that contains the permissions that should be there ?
Wouldn't it be easier to activate auditing on that folder (success and failure) ?
In that case you detect any changes from the security eventlog ?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks for the quick reply as always Luc
Our Security dept, as Security depts do......have asked I produce a single script that checks many things
I guess they want to ensure that no-one has access to the certs that shouldn’t
Whilst enabling Auditing would seem the most appropriate I just wanted to see how difficult it would be to do a scripted check
It would be the permissions on the cert file itself they are interested in, not so much the folder, I could specify the perms that should be there to check against
Cheers
Jim
The following gives you the NTFS permissions on the files in the SSL folder.
It assumes that the admiistrative share C$ is there, and that the account under which you execute the script has access to that share.
An alternative would be to use the Invoke-VMSCript cmdlet, provided the vCenter is a VM.
Another alternative is to use PowerShell remoting, but that requires WinRM to be configured.
$vCenter = $global:DefaultVIServer.Name $acl = Get-ChildItem "\\$($vCenter)\c$\ProgramData\VMware\VMware VirtualCenter\SSL" -recurse | Get-Acl
foreach($file in $acl){ $file.Access | Select @{N="File";E={$file.PSChildName}},
@{N="Path";E={$file.Path.Split(':')[2]}},
@{N="Owner";E={$file.Owner}},
@{N="Name";E={$_.IdentityReference}},
@{N="Type";E={$_.AccessControlType}},
@{N="Rights";E={$_.FileSystemRights}} }
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hi LucD,
Sorry to pull you on the old thread. I am just trying something similar which is mentioned in the thread.
I am trying to get list of users mentioned in the share tab of the folder security advanced settings but unable to get exact cmdlet. (see below snippet). Looking for the information which is highlighted in yellow.
Get-Acl -Path "\\share\folder1"
Have a look at the Get-SmbShareAccess cmdlet.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference