Automation

 View Only
  • 1.  Compliance check of NTFS permission on the vCenter server

    Posted Apr 21, 2013 10:12 AM

    I am being asked to write a compliance script, part of it being a check against the NTFS permissions for the folder that holds the vCenter certificates to ensure correct access

    Has anyone done this? Any ideas how best to tackle this?

    Any help appreciated

    Thanks



  • 2.  RE: Compliance check of NTFS permission on the vCenter server

    Posted Apr 21, 2013 11:18 AM

    The NTFS permissions on the SSL folder (C:\ProgramData\VMware\VMware VirtualCenter\SSL) are normally inherited from the parent folder.

    There could be other permission that come from other components. For example some backup tools run under a service account that also needs some access.

    What do you want to check in fact ?

    Is there a file that contains the permissions that should be there ?

    Wouldn't it be easier to activate auditing on that folder (success and failure) ?

    In that case you detect any changes from the security eventlog ?



  • 3.  RE: Compliance check of NTFS permission on the vCenter server

    Posted Apr 22, 2013 08:39 AM

    Thanks for the quick reply as always Luc

    Our Security dept, as Security depts do......have asked I produce a single script that checks many things

    I guess they want to ensure that no-one has access to the certs that shouldn’t

    Whilst enabling Auditing would seem the most appropriate I just wanted to see how difficult it would be to do a scripted check

    It would be the permissions on the cert file itself they are interested in, not so much the folder, I could specify the perms that should be there to check against

    Cheers

    Jim



  • 4.  RE: Compliance check of NTFS permission on the vCenter server

    Posted Apr 22, 2013 09:29 AM

    The following gives you the NTFS permissions on the files in the SSL folder.

    It assumes that the admiistrative share C$ is there, and that the account under which you execute the script has access to that share.

    An alternative would be to use the Invoke-VMSCript cmdlet, provided the vCenter is a VM.

    Another alternative is to use PowerShell remoting, but that requires WinRM to be configured.

    $vCenter = $global:DefaultVIServer.Name
    $acl = Get-ChildItem "\\$($vCenter)\c$\ProgramData\VMware\VMware VirtualCenter\SSL" -recurse | Get-Acl

    foreach($file in $acl){   $file.Access  |   Select @{N="File";E={$file.PSChildName}},
       
    @{N="Path";E={$file.Path.Split(':')[2]}},
       
    @{N="Owner";E={$file.Owner}},
       
    @{N="Name";E={$_.IdentityReference}},
        @{N="Type";E={$_.AccessControlType}},
        @{N="Rights";E={$_.FileSystemRights}} }


  • 5.  RE: Compliance check of NTFS permission on the vCenter server

    Posted Jun 20, 2022 04:24 PM

    Hi LucD,

    Sorry to pull you on the old thread. I am just trying something similar which is mentioned in the thread.

    I am trying to get list of users mentioned in the share tab of the folder security advanced settings but unable to  get exact cmdlet. (see below snippet). Looking for the information which is highlighted in yellow.  

    Get-Acl -Path "\\share\folder1"

    vin01_0-1655742134066.png

     



  • 6.  RE: Compliance check of NTFS permission on the vCenter server

    Posted Jun 20, 2022 04:46 PM

    Have a look at the Get-SmbShareAccess  cmdlet.