As cyber attacks increase in both frequency and severity, they have taken center stage in the world of cybersecurity. While keeping threat actors out of your environment is absolutely critical, I believe that keeping coworkers out of your embarrassingly large private stash of pirated Golden Girls episodes is at least mildly important.
Thankfully, keeping your private stash and company secrets safe is pretty straightforward with file and folder permissions. Here’s how you can go about securing your most important assets:
Managing permissions through Windows Explorer is pretty easy. Simply right-click on any file or folder and click Properties, then click on the Security tab.
While this is relatively simple to do, you’ll start to run into issues when you have massive amounts of permissions to set. Thankfully, with the ICALS utility, we're able to script out larger permissions jobs.
Icacls is a command-line utility that allows admins to view and modify file and folder permissions. CACLS stands for Control Access Control List. There is some debate on whether the "I" stands for Integrity or Inherited, but hopefully it doesn't stand for “irreplaceable” because today we're discussing the PowerShell equivalent of icacls.
The PowerShell Equivalent of ICACLS Is Get-Acl and Set-Acl
As you can see, Microsoft has chosen to stick with their non-creative but very descriptive naming schemes with these cmdlets. One look and you can pretty easily guess what each one does. As their names imply, Get-Acl will retrieve the access-control list of a given file or folder. Set-Acl, on the other hand, will set or modify the permissions of files and folders.
Okay, time for some examples.
We're starting off pretty simple, but there's still some cool stuff going on here. We've used the DIR command and specified the path 'C:\VIP Only\' with the filter a*. The only folder inside the "VIP Only" folder that matched the filter was a folder named "Area 51 Fashion Advice". We've used the -Recurse parameter to return all subdirectories and files. Be careful using this parameter on a folder that has large amounts of subdirectories and files, though.
Next, we piped that command to the Get-Acl command, returning the permissions for all the files and folders found in the specified directory. Lastly, we piped everything to the Format-List command to make the returned information a bit easier to read.
We are using both Get-Acl and Set-Acl to copy the permissions from one file to another in this example.
I have a file called “Top Secret Mashed Potatoes Recipe.txt” and a "Back to the Future 4 Script.txt" file in the same "VIP Only" directory. As you can see, the user Jack Black currently has permissions on one file but not the other.
However, once I run the above script, PowerShell will copy the permissions from "Top Secret Mashed Potatoes Recipe.txt" to "Back to the Future 4 Script.txt."
The first two examples were pretty simple. However, setting permissions is a bit trickier than just getting or copying permissions.
In this example, the first thing we do is retrieve the ACL of the object we want to modify and assign it to the variable $acl. Next, we create a new file system access rule and assign it to the $AccessRule variable. This rule contains the "username", the "permission", and the "allow or deny" settings. Then, we set the access rule we created to the $acl variable. Lastly, we use the Set-Acl cmdlet to set the new permissions contained in the access rule.
As you can see in this image, the file "C:\VIP Only\NSA Secrets\Chocolate is Healthy.txt" doesn't have permissions for the user Jack Black.
However, once I run the following script, the user's permissions will be added to the file and granted full control.
Magic!... I mean, PowerShell!
PowerShell vs ICALS: Which Should You Be Using?
I'll be honest. I find it easier to set permissions with icacls versus Set-Acl. However, there are limitations with icacls, whereas the possibilities are almost infinite with PowerShell. If you have some simple permissions to set, I would use either Windows Explorer or icacls. If, on the other hand, you have an enormous amount of permissions to set and you need to automate a workflow, PowerShell should be your go-to.