|
Security Explorer 4.8
This powerful tool allows you to view or modify permissions on any NTFS object in your network.
by Danielle Ruest and Nelson Ruest
Posted June 24, 2004
Controlling access rights is a full-time job for some administrators. There's always something to do: create a file share here, a new folder there, manage registry settings for one user, add a new user to a folder, rename user accounts, and so on. When you're working only with the default Windows tools, you have to use a series of Microsoft Management Consoles (MMCs) to get the job done right. Not so with ScriptLogic's Security Explorer 4.8. Explorer gives you a one-stop shop for all permissions management in organizations of any size. Whether you have one or 1,000 servers, Security Explorer will let you view and modify permissions on files, folders, registry settings, and file shares using a single, easy-access interface (see Figure 1).
This tool is especially useful when working with user home directories or redirected folders. One issue administrators face today is that with Windows NT or Windows 2000, you must modify the default permissions that are assigned to automatically created user folders—for example, when using the %username% variable for the generation of user home folders. To do this, you might use the cacls or the xcacls commands, running the following command at the root of the shared folder structure you design to store user shares, for example:
cacls *.* /t /e /c /g administrators:f
This command uses /t to modify all subdirectories, /e to edit and not replace permissions, /c to ignore all errors, and /g to grant the administrators group full permissions on all file objects. This way you can see and work with the contents of user shares without taking away their own rights. Of course, this command is no longer necessary in Windows Server 2003 because it automatically grants the administrators group these rights when it generates a private home folder for users. But, if you're still working with NT or Windows 2000, you need this command. Not so if you use Security Explorer. Explorer includes a handy little capability to use the Backup Operators' right to backup files to let you manage these permissions without having to change their access rights.
In addition, each time you modify the access rights of a file or folder, the system will reset its archive bit by default. It makes sense; it assumes that since the permissions have changed, the file needs to be backed up. But if you reset the permissions on an entire folder structure, this might cause inordinately long backups when you only granted access rights for a single user or group—normally, though, you would apply access rights to groups as a best practice, not users. With Security Explorer, you can tell the system to ignore access rights modifications and not reset the archive bit, another handy feature.
Security Explorer also gives you full access to the registry (see Figure 2). This means that you can control and modify the access rights applied to each registry key or registry trees through a series of simple clicks. This is especially useful when you have to run legacy applications in a locked down environment such as Windows XP or Windows Server 2003. Both deny modification permissions in the HKEY_Local_Machine hive to all users, but most legacy applications require write access to some of these keys. With Security Explorer, a series of simple clicks will modify these permissions and allow the application to run without having to change permissions for the entire registry. The same goes for program files located under both the Program Files and the Windows folders. Users don't normally have write access to these, but legacy applications often require it. Security Explorer comes to the rescue by giving you granular control over the access to these files.
Explorer also lets you rename accounts, though this feature is obviously a legacy from NT because it is focused on the down-level account name and not all of the account properties you find in an Active Directory. To document the modifications you make, it lets you export all permission settings to either a database or an Excel file. Explorer comes with an Access 97 database, which is quite an outdated format today, but because it supports ODBC, you can replace it with any ODBC-compliant database. It also lets you back up permissions and restore them: You design a security structure on one system and restore it on multiple other systems. You can also target multiple drives or multiple servers through the use of Enterprise Scopes—listings of several servers or drives stored in a special format. It also clones security permissions to let you quickly apply similar permissions to multiple users or groups. And because it supports the command line through four different commands, Security Explorer will let you create batch files that will clone, backup and restore, export security settings, or simply grant access to new accounts.
Overall, Security Explorer is a powerful tool that will come in handy to administrators in charge of access rights and permissions in any organization. But beware: Even without access capability, it will give powerful capabilities to any administrator. Make sure this tool does not fall into the wrong hands. As for operation, Security Explorer works well, installs as an MSI and therefore through the Windows Installer service, and is one of the fastest installations we've seen to date. The only drawback is the reference to Small Wonders Software. Because it has been several months since ScriptLogic purchased Small Wonders, we would expect that all references to Small Wonders would be excised.
Quick Facts
Security Explorer 4.8
ScriptLogic
Web: www.ScriptLogic.com/eng/products/securityexplorer/main.asp
Phone: 800-813-6415
Pricing: Starts at $699 per server, with volume discounts available. Includes one year of maintenance.
Quick Facts: Tool designed to centrally manage permissions for files, registry settings, and shared folders on enterprise servers. Provides complete information on all settings in organizations of any size.
Pros: Allows full control of permissions on all files, even files you don't normally have access rights to. Provides comprehensive set of tools to manage permissions at all levels of the enterprise.
Cons: Can create a security risk if placed in the wrong hands. Very powerful suite of tools for access-control management; must be supervised carefully. Installs into Small Wonders Software program group instead of ScriptLogic.
About the Author
Danielle Ruest and Nelson Ruest (MCSE, MCT) are multiple book authors focusing on systems design, administration, and management. They run a consulting company that concentrates on IT infrastructure architecture and change and configuration management. You can reach them at . Back to top
|