True, for computers having at least one such product installed. Use @wdormann's script to check your computer:https://gist.github.com/wdormann/eb714d1d935bf454eb419a34be266f6f …
-
-
Yeah
@wdormann's script is very useful. Ive used it a fair amount of times1 reply 0 retweets 1 like -
Replying to @fritzboger @wdormann
Mitja Kolsek Retweeted Will Dormann
Paging
@SwiftOnSecurity! Wouldn't it be educational if you ran this script on all your corporate computers, aggregate results and publish a list of apps that were found to be putting the everyone-writable-PATH hole in the system?https://twitter.com/wdormann/status/1192180116417392642 …Mitja Kolsek added,
3 replies 17 retweets 58 likes -
Replying to @mkolsek @SwiftOnSecurity and
Use run scripts in ConfigMgr and it will collate the results in there
1 reply 0 retweets 1 like -
Replying to @dooley_do @mkolsek and
Unfortunately, this won't work since the script requires running without administrative privileges. Scripts always run as SYSTEM:https://docs.microsoft.com/en-us/configmgr/apps/deploy-use/create-deploy-scripts#target-machine-execution …
1 reply 0 retweets 1 like -
Replying to @NathanMcNulty @dooley_do and
Should be fairly easy to modify the script to check ACL for regular users instead of write access by the current user
1 reply 0 retweets 0 likes -
Replying to @fritzboger @dooley_do and
Sure, fairly easy... Knock yourself out bud ;) Good luck evaluating for all of these conditions: https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.filesystemrights?view=netframework-4.8 … Don't forget, you can't key off just BUILTIN\Users, NT AUTHORITY\Authenticated Users, and EVERYONE. You need to check all AD and local security groups.
2 replies 0 retweets 1 like -
Replying to @NathanMcNulty @dooley_do and
Doesn't this depend on your goals? If you want to do a full assessment of your AD, then yes you need to check all groups. But if you just want a quick list of possible candidates AUTHORITY\Authenticated Users should do just fine.
1 reply 0 retweets 1 like -
Replying to @fritzboger @NathanMcNulty and
As for the FileSystemRights, one of the following combinations should be enough ChangePermissions CreateFiles + WriteData TakeOwnership Write
1 reply 0 retweets 1 like -
Replying to @fritzboger @dooley_do and
Sorry man, honestly trying to show it's not that simple. Compiled permissions sometimes don't let you key off just the words. Our org has different permissions for staff than students, and I'd assume other environments are more complex. Here's an example of what I'm talking aboutpic.twitter.com/8Qrlr404w6
2 replies 0 retweets 3 likes
Yeah, I originally started to go down the ACL path (as you can see from the commented-out line in my gist. But I quickly realized that it was going to be overly complicated. Thus my compromise of just checking if the current user can create a file in the directories in question.
-
-
Replying to @wdormann @fritzboger and
And it's honestly the most elegant solution to the problem. Why chase moving target of perms and security groups when you can just test creating a file and see if it lets you ;) I actually deployed as a discovery script in a CI/Baseline in ConfigMgr. Runs on every logon as user!
0 replies 0 retweets 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.