VMware Cloud Community
js40687
Contributor
Contributor
‎04-21-2013 03:12 AM

Compliance check of NTFS permission on the vCenter server

I am being asked to write a compliance script, part of it being a check against the NTFS permissions for the folder that holds the vCenter certificates to ensure correct access

Has anyone done this? Any ideas how best to tackle this?

Any help appreciated

Thanks

0 Kudos
5 Replies
LucD
Leadership
Leadership
‎04-21-2013 04:17 AM

The NTFS permissions on the SSL folder (C:\ProgramData\VMware\VMware VirtualCenter\SSL) are normally inherited from the parent folder.

There could be other permission that come from other components. For example some backup tools run under a service account that also needs some access.

What do you want to check in fact ?

Is there a file that contains the permissions that should be there ?

Wouldn't it be easier to activate auditing on that folder (success and failure) ?

In that case you detect any changes from the security eventlog ?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
js40687
Contributor
Contributor
‎04-22-2013 01:38 AM

Thanks for the quick reply as always Luc

Our Security dept, as Security depts do......have asked I produce a single script that checks many things

I guess they want to ensure that no-one has access to the certs that shouldn’t

Whilst enabling Auditing would seem the most appropriate I just wanted to see how difficult it would be to do a scripted check

It would be the permissions on the cert file itself they are interested in, not so much the folder, I could specify the perms that should be there to check against

Cheers

Jim

0 Kudos
LucD
Leadership
Leadership
‎04-22-2013 02:28 AM

The following gives you the NTFS permissions on the files in the SSL folder.

It assumes that the admiistrative share C$ is there, and that the account under which you execute the script has access to that share.

An alternative would be to use the Invoke-VMSCript cmdlet, provided the vCenter is a VM.

Another alternative is to use PowerShell remoting, but that requires WinRM to be configured.

$vCenter = $global:DefaultVIServer.Name
$acl = Get-ChildItem "\\$($vCenter)\c$\ProgramData\VMware\VMware VirtualCenter\SSL" -recurse | Get-Acl 

foreach($file in $acl){
  $file.Access  | 
  Select @{N="File";E={$file.PSChildName}},
    @{N="Path";E={$file.Path.Split(':')[2]}},
    @{N="Owner";E={$file.Owner}},
    @{N="Name";E={$_.IdentityReference}},
    @{N="Type";E={$_.AccessControlType}},
    @{N="Rights";E={$_.FileSystemRights}}
}


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
vin01
Expert
Expert
‎06-20-2022 09:24 AM

Hi LucD,

Sorry to pull you on the old thread. I am just trying something similar which is mentioned in the thread.

I am trying to get list of users mentioned in the share tab of the folder security advanced settings but unable to  get exact cmdlet. (see below snippet). Looking for the information which is highlighted in yellow.  

Get-Acl -Path "\\share\folder1"

vin01_0-1655742134066.png

 

Regards Vineeth.K
0 Kudos
LucD
Leadership
Leadership
‎06-20-2022 09:46 AM

Have a look at the Get-SmbShareAccess  cmdlet.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos