Applying Folder Permissions for nested folders

My company uses a network share to place all the customers’ information regarding work we are doing for them in a centralized location.  Each job we do has it’s own folder and each folder has a standardized set of folders.  These folders have information in them that some is available to all users, while some (like financial data) we keep secured.

The structure of the folders looks something like this: (image on the left):

Folders

Note the job numbers are different but all the subsequent folders are all the same.  The issue at hand, however, is that the folders need separate security on each of them (or at least different security on each depending on the content of the folders and what management has asked for different groups to have access to.)  So for my example here, lets say we have two groups, group A and group B

Group A has full control over all the folders, and group B has access to all the folders except Drawings and financials.  The challenge, then, it to apply the correct security permissions.  And while my drawing here shows just two folders, my real-life challenge consisted of hundreds of folders like this.

My original attempt was to create a template folder that had all of the correct permissions assigned to it.  I then created a batch file for the end users to run to create a new folder with the correct security pemissions.  The batch file was just a simple running of Robocopy with the /sec switch implemented.

 

ROBOCOPY \\Souceserver\Share\Template \\Sourceserver\Share\!New /E /SEC

That’s put in a batch file and then the end user, when they start a new job, are supposed to run the batch file and then rename the folder that is created “!New”

The problem is relying on the end users to actually follow procedure is kind of pointless.  They never do it as it is much easier to copy and paste the new folder than to double click a batch file.

So the issue that was presented to me was to apply the correct security consistently through hundreds of folders and multiple companies and various geographical sites and networks.

Ugh!

So my fist thought was some soft of batch script, but that quickly became a nightmare due to the differences in file structure on the server.

I then turned to Powershell.  While I had a minimal experience with powershell, with most of it being in the Exchange version of powershell, I knew of the awesome power of it and figured if anything could apply these permissions correctly it would be powershell.

Off to Google I went.  I found many different solutions on how to assign permissions to a folder, but most of them were in reference to creating a a folder and assigning permissions to the newly created folder.  More specifically, they were usually talking in reference to user folders in the home directory.  I wanted to change permissions on folders that were already existing.

So I broke the problem down into two parts.  The first part was to identify the folders to have their permissions changed and the second part was to actually change the permission.

I decided to create two variables.  The first was the sub-folders I wanted to find and the second was the variable containing the path of the folders including the sub-folders.  So in my example to the left, the first variable would be a static list of the sub-folders I want to change the permissions on (Drawings and Financials.)  The second variable would be the entire path of the folder.  So, again from the example to the left, our path would end up being \\Root\Job1\Financials, \\Root\Job1\Drawings , \\Root\Job2\Financials and \\Root\Job2\Drawings.  I wanted to do it with two variables in case I need to change the name of the sub-folders later on.  And by piping the first variable into the second it made of a nice clean method of making changes relatively easily.

But I am getting a little ahead of myself.

I started by trying to find all the folders in the location that had the name “Financials in them.

$Folders=Get-ChildItem -Filter “Financials” -Recurse -Path “\\Root\Job1\”

This would return hundreds of the following:

Directory: \\root\Job96868\Financials
Mode LastWriteTime Length Name
—- ————- —— —-
d—- 10/18/2013 8:59 AM Contract_PO

Not particularly useful, but I was on the right path in isolating the desired directories.

Looking into the Get-ChildItem a bit more I came up with changing the directory and running the following.

$Folders=Get-ChildItem -Recurse -Filter “Financials”| ?{ $_.PSIsContainer } | Select-Object FullName

Using the ?{$_PSIsContainer} allowed me isolate just the folders with the name “Financials.”  At the first pass, I thought I had it, but unfortunately the “Select-Object FullName” also returned the header FullName@(\\Root\Job1\Financials) which I could not use to apply ACLs to.  Somehow I needed to return only the path name.

Finally I  came up with the following:

$Folders=Get-ChildItem -Recurse -Filter “Financial”| ?{ $_.PSIsContainer } | Select -Expand FullName

This finally would fill the $Folders variable with just the full path of the Financials folder.  Now on to applying the permissions.  This was a matter for creating a loop for each item in the $Folders variable and applying the changes.  In the end, here is what the powershell script looked like:

cd \\Root
$Subfolders=@(“Financials”,”Drawings”)
$Folders=Get-ChildItem -Recurse -Include $Subfolders | ?{ $_.PSIsContainer } | Select -Expand FullName
$sid = “Group B”
foreach ($i in $Folders) {
$Acl = Get-Acl $i
$acl.SetAccessRuleProtection($False, $True)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule -ArgumentList @($SID,”FullControl”,”ObjectInherit, ContainerInherit”,”None”,”Deny”)
$acl.AddAccessRule($rule)
Set-Acl $i $acl
}

So to explain what is happening here:

  1. Change the directory to the correct share
  2. Create a Variable to include the subfolders that you want to apply the ACL to.
  3. Create the $Folders Variable and populate the variable with the correct file Paths.  Note tht it is including only the folders defines by the $Subfolders variable.
  4. Create a variable for the groups which you want to Apply the permissions for.
  5. Create a loop that applies the ACLs to each “line” in the $Folders variable.
  6. Read the current ACL values into the $Acl variable.
  7. Protect the current ACL values and their inheritance.
  8. Create a $Rule variable to include the permission you want to include for the folder in question
  9. Apply the Permissions/ACL

I then created a ps1 file for this and used task manager to have it run the powershell script every hour so any new folders created will have the correct permissions applied.

Hope this helps!

Ed

Comcast Business loves to host spammers!!!

Yes folks, that’s right…go right on over to comcast business with all your spamming needs!  You got spam you want to shovel out?  Well Comcast business network is the place for you!  Not only will they provide multiple venues  for your to shovel your crap out, they will help you change your domain and IP address when people start to block your ip address / domain.

Here’s and example:  after Ed sucessfully blocked a bunch of IP addresses that Comcast was allowing spammers to use, they allowed the spammer to change the domain and IP address they were using to shovel out the same old crap!  Now they are using the 50.195.29.0/24 subnet.

Look, I know spam filtering is like playing whack-a-mole, but I expect better from a “good corporate netizen” like Comcast.  Especially one so concerned with waste of bandwidth that they throttle their own customers

Spammers, Spammers and more Spammers

One thing that will just make me lose my ever-loving mind quicker than anything is spammers.  They just drive me nuts.  This obsession I have with blocking spam sometimes takes on a almost unhealthy level.

I am currently having one of these episodes, and the most infuriating thing about this one is that major ISPs are not only allowing this to occur, the are profiting from it.

The spammer in question is sending emails with the subject lines like:

  • Gartner’s Predictions on VoIP and the Cloud
  • ERP Expert’s Guide to Implementation Success
  • Facebook’s Impact on BI/ERP
  • MS Excel as an ERP/BI Tool – Tricks and Tips
  • 2012 VoIP Systems Buyer’s Guide

Often as not, the familiar name on these is Business Software Evaluations, and the email address is info@techevals.com.

But the absolute worst part is that they all seem to be coming from IP addresses that resolve to servers that host business solutions for Comcast and Verizon.  Specifically comcastbusiness.net and bos.east.verizon.net.  So these two communication giants are not only allowing this (a Google search indicated that both have been made aware of these shinanigans multiple times and have willingly chosen to do nothing about it except collect a check) but are helping them by  allowing them to change static IPs every so often and use throwaway domain names.

Grrrr…..

So I am left with no choice but to widen the net in which I use to block these spammers.  I was blocking by individual static IP address, but if Comcast and Verizon are going to continue to allow them to change STatic IP addresses to spew out this crap, I’m just going to increase my range.  I’ve got more blocks than they have IP addresses.  🙂

So now I am blocking the following IP addresses:

  • 71.243.115.0/255.255.255.0
  • 71.243.122.0/255.255.255.0
  • 50.79.175.0/255.255.255.0
  • 50.79.185.0/255.255.255.0

I’ve also made some conditional filters based on header info, sender domain,  and subject lines that hopefully will block these jerks once and for all.

Hopefully this will help someone else and if anyone knows addtional IP address rangers they use, please let me know and I will add them to my filters and to this list.

Cheers!

Hello, I’m representing HP…. and I’m really a hacker.

As a network administrator, one of my on going annoyances is the people calling with “surveys.”  In the past I have either just told them I wasn’t interested or just hung up on them without any comment at all.  The calls usually start with “Hi, this is Judy.  I’m representing HP and I was calling today with a short survey…blah blah blah.”

I usually don’t listen past that point and end up terminating the call.

In the past I considered these calls a waste of my time in an already overtaxed schedule.  Additionally it seemed like a “theft” of the time the company has paid for for something that does not directly benifit the company.

Recently however I decided to go through one of the “surveys” and see what they asked.  Being security minded (and slightly paranoid) throughout the survey I provided only false information.  At the conclusion of the “survey” I was very glad I did.

Some of the things they asked were:

  • How many users did we have?
  • How many printers?
  • What was our main operating system?
  • What version on the O/S?
  • What brand of Antivirus did we use?
  • What kind of routers? Switches?
  • Who was our firewall vendor?

…and then, with that last question, it dawned on me…this call was a social engineering call!  They were hackers!  I had no evidence that they were with (in this case) HP.  Only their word.  This call was really to footprint my network!

To be fair, it could have been legitimate.  But handing out thatkind of information without being certain of who I was talking to could have been very dangerous to the security of my network.

So beware of the random call from someone saying they are representing Microsoft or HP or Dell or any other company wanting to do a “survey” about your network.  It might just be a hacker footprinting your network.