-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathSet-SecureFilePermission.ps1
200 lines (147 loc) · 7.38 KB
/
Set-SecureFilePermission.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
#Requires -Version 3.0
Function Set-SecureFilePermission {
<#
.SYNOPSIS
This cmdlet was created to set retrictive permissions on scripts that were created to run as tasks on servers.
.DESCRIPTION
Running this command against a file or directory will modify the permissions by removing any pre-existing permissions and adding the defined allowed users.
.PARAMETER Username
Defines the users that should be given Full Control over a file
.PARAMETER Owner
Defines the user who should be the owner of an NTFS file. The default value is 'BUILTIN\Administrators'
.PARAMETER Path
Define the local path to a file you want the permissions changed on. Modifying permissions on a remote machine will require the path to that file as if you were on that machine.
.PARAMETER ComputerName
This parameter defines remote devices that have a file on them you want the permissions changed on. Separate multiple values with a comma
.PARAMETER UseSSL
When connecting to remote device use an SSL encrypted connection
.PARAMETER SkipCACheck
When connecting to remote device skip certificate Root CA verification
.PARAMETER SkipCNCheck
When connecting to remote device skip certificate canonical name (CN) comparisson check
.PARAMETER SkipRevocationCheck
When connecting to remote device skip certificate revocation check
.EXAMPLE
Set-SecureFilePermissions -Username 'NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators', 'BUILTIN\Network Configuration Operators', 'NT SERVICE\MpsSvc' -Path C:\Temp\secretfile.txt
# This example gives SYSTEM, Administrators, Network Configuration Operators, MpsSvc exclusive access to secretfile.txt and sets the Administrators group as the owner
.EXAMPLE
Set-SecureFilePermissions -Username 'NT AUTHORITY\SYSTEM','BUILTIN\Administrators' -Path "C:\Temp\derp.log" -Owner 'BUILTIN\SYSTEM' -ComputerName 10.0.0.1
# This example gives administrators and system permissions to the derp.log file and makes SYSTEM the owner on the remote device 10.0.0.1
.EXAMPLE
$Files = Get-ChildItem -Path $env:USERPROFILE\Documents\Scripts -Recurse -Filter *.ps1
$Files | ForEach-Object { Set-SecureFilePermissions -Username 'NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators', 'CONTOSO\Mike' -Path $_.FullName -Owner 'CONTOSO\Mike' -Verbose }
# This example sets SYSTEM, Administrators, and Mike to have permissions to any ps1 files in the directory defined and sets Mike as the owner.
.NOTES
Author: Robert H. Osborne
Alias: tobor
Contact: [email protected]
.INPUTS
System.String[]
.OUTPUTS
None
.LINK
https://osbornepro.com
https://writeups.osbornepro.com
https://github.com/tobor88
https://github.com/OsbornePro
https://gitlab.com/tobor88
https://www.powershellgallery.com/profiles/tobor
https://www.linkedin.com/in/roberthosborne/
https://www.credly.com/users/roberthosborne/badges
https://www.hackthebox.eu/profile/52286
#>
[CmdletBinding(
DefaultParameterSetName="Local",
SupportsShouldProcess,
ConfirmImpact='Medium'
)] # End CmdletBinding
param(
[Parameter(
Mandatory=$True,
ValueFromPipeline=$False,
ValueFromPipelineByPropertyName=$False,
HelpMessage="`n[H] Add a user or list of users who should have permisssions to an NTFS file`n[E] EXAMPLE: 'NT AUTHORITY\SYSTEM', 'BUILTIN\Administrators'"
)] # End Parameter
[Alias('User')]
[String[]]$Username,
[Parameter(
Mandatory=$True,
ValueFromPipeline=$True,
ValueFromPipelineByPropertyName=$False,
HelpMessage="`n[H] Define the path to the NTFS item you want to modify the entire permissions on `n[E] EXAMPLE: C:\Temp\file.txt"
)] # End Parameter
[String[]]$Path,
[Parameter(
Mandatory=$False,
ValueFromPipeline=$False,
ValueFromPipelineByPropertyName=$False
)] # End Parameter
[String]$Owner = 'BUILTIN\Administrators',
[Parameter(
ParameterSetName="Remote",
Mandatory=$False,
ValueFromPipeline=$True,
ValueFromPipelineByPropertyName=$False
)] # End Parameter
[Alias('cn','Computer','c','IPAddress')]
[String[]]$ComputerName,
[Parameter(
ParameterSetName="Remote",
Mandatory=$False
)] # End Parameter
[Switch]$UseSSL,
[Parameter(
ParameterSetName="Remote",
Mandatory=$False
)] # End Parameter
[Switch]$SkipCACheck,
[Parameter(
ParameterSetName="Remote",
Mandatory=$False
)] # End Parameter
[Switch]$SkipCNCheck,
[Parameter(
ParameterSetName="Remote",
Mandatory=$False
)] # End Parameter
[Switch]$SkipRevocationCheck
) # End param
BEGIN {
Write-Verbose -Message "[v] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Set-SecureFilePermission cmdlet executed"
} PROCESS {
If (!($PSBoundParameters.ContainsKey('ComputerName'))) {
Write-Verbose -Message "[v] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Modifying access rule proteciton on $ComputerName"
$Acl = Get-Acl -Path "$Path" -Verbose:$False
$Acl.SetAccessRuleProtection($True, $False)
ForEach ($U in $Username) {
Write-Verbose -Message "[v] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Adding $U permissions to $Path"
$Permission = $U, 'FullControl', 'Allow'
$AccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $Permission
$Acl.AddAccessRule($AccessRule)
} # End ForEach
Write-Verbose -Message "[v] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Setting the owner of $Path to $Owner"
$Acl.SetOwner((New-Object -TypeName System.Security.Principal.NTAccount("$Owner")))
$Acl | Set-Acl -Path "$Path" -Verbose:$False
} Else {
Invoke-Command -ArgumentList $Username,$Path,$Owner -HideComputerName $ComputerName -UseSSL:$UseSSL.IsPresent -SessionOption (New-PSSessionOption -SkipCACheck:$SkipCACheck.IsPresent -SkipCNCheck:$SkipCNCheck.IsPresent -SkipRevocationCheck:$SkipRevocationCheck.IsPresent -Verbose:$False) -Port 5986 -ScriptBlock {
$Username = $Args[0]
$Path = $Args[1]
$Owner = $Args[2]
Write-Verbose -Message "[v] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Modifying access rule proteciton"
$Acl = Get-Acl -Path "$Path" -Verbose:$False
$Acl.SetAccessRuleProtection($True, $False)
ForEach ($U in $Username) {
Write-Verbose -Message "[v] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Adding $U permissions for $Path"
$Permission = $U, 'FullControl', 'Allow'
$AccessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $Permission
$Acl.AddAccessRule($AccessRule)
} # End ForEach
Write-Verbose -Message "[v] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Changing the owner of $Path to $Owner"
$Acl.SetOwner((New-Object -TypeName System.Security.Principal.NTAccount("$Owner")))
$Acl | Set-Acl -Path "$Path" -Verbose:$False
} -Verbose:$False # End Invoke-Command
} # End If Else
} END {
Write-Verbose -Message "[v] $(Get-Date -Format 'MM-dd-yyyy hh:mm:ss') Set-SecureFilePermission cmdlet completed execution"
} # End B P E
} # End Function Set-SecureFilePermission