PowerShell v3 Adding SACL Auditing to a File

Security, in Windows, can be a pretty large, complex subject, particularly from a developers perspective. A few years ago I started exploring security, and, found some great resources. However, when I recently went to figure out how to add a SACL to a file for monitoring I came up short. So, the post below is an exploration of just what SACLs are and how to add them in Windows.

Security is controlled, in NTFS based file systems, on just a few key concepts. Two of the main concepts are: ACEs (access control entry) and ACLs (access control list). An ACE is a structure applied to an object indicated a specific right required by the object to be accessed. An ACL is a composite list of ACEs used to indicate the full permissions required/applied to an object. In short, an ACE belongs to an ACL; conversely, an ACL is composed of ACEs.

ACLs come in two flavors: 1) DACL (discretionary access control list) and SACL (system access control list). Keith Brown gives a great description of the two structures, in The .NET Developers Guide to Windows Security,

The discretionary access control list (DACL) contains a list of permissions granted or denied to various users and groups. The reason its called "discretionary" is that the owner of the object is always allowed to control its contents. Contrast this to the system access control list (SACL), over which the owner has no special control. In fact, the owner of an object isnt even allowed to read it. The SCAL is designed for use by security officers, and it specifies what actions will be audited by the system. I like to think of the SACL as the "Big Brother" bits.

In usage, SACLs are great for tracking who accesses a file. They provide a way to keep track of who works with a given object. One thing to note is that ACLs are not stored in the object, but, rather in the $MFT (master file table). For example, using Access Datas FTK Imager, you can see, below, two permission sets: 1) Take ownership and 2) Full permission.

Full permissions - explorer properties

Full permissions - FTK Imager ($MFT) view

Take ownership - explorer properties

Take ownership - FTK Imager ($MFT) view

When you start working with PowerShell, the Access Masks are displayed in terms of .NET enumerations. Below is a quick example to create a new file and return the SACL (Audit) permissions of the file listed above.

# Start afresh

Clear-Host

# Create new directory if it doesnt already exist

if(!(Test-Path ($path = C: est)))

{

      md $path

}

# Pipe dir contents to test.log

dir C: > ($file = "$path est.log")

# Get ACL information for new file

Get-Acl $file -Audit | select *

When I run this I get the following output in PowerShell:

PSPath                  : Microsoft.PowerShell.CoreFileSystem::C: est est.log

PSParentPath            : Microsoft.PowerShell.CoreFileSystem::C: est

PSChildName             : test.log

PSDrive                 : C

PSProvider              : Microsoft.PowerShell.CoreFileSystem

Audit                   : {}

AccessToString          : BUILTINAdministrators Allow  FullControl

                          NT AUTHORITYSYSTEM Allow  FullControl

                          BUILTINUsers Allow  ReadAndExecute, Synchronize

                          NT AUTHORITYAuthenticated Users Allow  Modify, Synchronize

AuditToString           :

Path                    : Microsoft.PowerShell.CoreFileSystem::C: est est.log

Owner                   : BUILTINAdministrators

Group                   : DOMAINDomain Users

Access                  : {System.Security.AccessControl.FileSystemAccessRule, System.Security.Ac                          cessControl.FileSystemAccessRule, System.Security.AccessControl.FileSys                          temAccessRule, System.Security.AccessControl.FileSystemAccessRule}

Sddl                    : O:BAG:DUD:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)S:AI(AU;SA;WO;;;S-1-5-21-1234567890-1234567890 -1234567890 -1000)

AccessRightType         : System.Security.AccessControl.FileSystemRights

AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule

AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule

AreAccessRulesProtected : False

AreAuditRulesProtected  : False

AreAccessRulesCanonical : True

AreAuditRulesCanonical  : True

What is important to note here is the Sddl values. For more information on SDDL, check out this link:

Understanding SDDL Syntax

As I start playing around with Get-Acl and the various options I wanted to know what all was available to work with, so, I did a Get-Member:

Get-Acl C: est est.log |

Get-Member |

ft name,membertype -AutoSize

Name                                MemberType

----                                ----------

Access                            CodeProperty

Group                             CodeProperty

Owner                             CodeProperty

Path                              CodeProperty

Sddl                              CodeProperty

AccessRuleFactory                       Method

AddAccessRule                           Method

AddAuditRule                            Method

AuditRuleFactory                        Method

Equals                                  Method

GetAccessRules                          Method

GetAuditRules                           Method

GetGroup                                Method

GetHashCode                             Method

GetOwner                                Method

GetSecurityDescriptorBinaryForm         Method

GetSecurityDescriptorSddlForm           Method

GetType                                 Method

ModifyAccessRule                        Method

ModifyAuditRule                         Method

PurgeAccessRules                        Method

PurgeAuditRules                         Method

RemoveAccessRule                        Method

RemoveAccessRuleAll                     Method

RemoveAccessRuleSpecific                Method

RemoveAuditRule                         Method

RemoveAuditRuleAll                      Method

RemoveAuditRuleSpecific                 Method

ResetAccessRule                         Method

SetAccessRule                           Method

SetAccessRuleProtection                 Method

SetAuditRule                            Method

SetAuditRuleProtection                  Method

SetGroup                                Method

SetOwner                                Method

SetSecurityDescriptorBinaryForm         Method

SetSecurityDescriptorSddlForm           Method

ToString                                Method

PSChildName                       NoteProperty

PSDrive                           NoteProperty

PSParentPath                      NoteProperty

PSPath                            NoteProperty

PSProvider                        NoteProperty

AccessRightType                       Property

AccessRuleType                        Property

AreAccessRulesCanonical               Property

AreAccessRulesProtected               Property

AreAuditRulesCanonical                Property

AreAuditRulesProtected                Property

AuditRuleType                         Property

AccessToString                  ScriptProperty

AuditToString                   ScriptProperty

Theres quite a bit to work with, so, I decide to try and map out some options in order to figure out how to manually create a SACL. This link helps me get a few starting steps:

How to Handle NTFS Folder Permissions, Security Descriptors and ACLs in PowerShell 

To get a more explicit breakdown of what I am working with currently, I run this command:

get-acl