Just ran an MBSA scan on a windows 2003 server. Relatively new to ACL permissions. MBSA shows me share acl permissions, and directory acl permissions. So I assume a user would need firstly share acl to be able to view the list of available shares, then directory acl to view the specific data in a given share? Also, it only gives directory ACL, but what if theres numerous directories in that share, how does it no the directory ACL will be the same for all shares? i.e. share\rootdirectory might not have same ACL as share\rootdirectory\privatedata? Or am I missing soemthing, i.e. if youv'e been granted directory ACL you can access any data in any subdirectory?

share and ntfs security work combined, the more restrictive being in effect. say you have c:\share which is shared, user a has read permission on the share, and change permission on ntfs. as share permission is more restrictive, despite having change permission when working locally due to ntfs, when accessing the share user a can only read. now say theres a subfolder c:\share\folder, in which the user a has no ntfs security to even read. despite having read permission on the share, the user wont be able to access this subfolder

Thanks FZB.... However, why then does MBSA only report the shares root folder ACL? for example I have a share called DATA resident on G:\Shared\Data it lists all groups with the directory ACL who can access G:\Shared\Data But my question is what about sub directories of G:\Shared\Data i.e. G:\Shared\Data\SubFolder... Do the subdirectories inherit the same permissions as set on G:\Shared\Data, thus the reason why MBSA only needs to report on the root directory of the share?

if you right click your folder, go to tab security and select advanced, you see a list of your entries and a field for inheritance (at a german windows atm, dunno what term is used atm), you can alss define if you want to propagate your settings to the child nodes will try to check later what mbsa is checking

Hi ia4560, By default, the sub folders will inherit the permissions from the parent folder. When you right click the sub folder and select Security tab and then click on Advanced button, you will see the check box selected as “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here”. If this option is selected, the sub folder will contain the same permission entries as the parent folder. So you don’t have to worry about the permission issue in sub folders. Unless someone manually uncheck this checkbox and modify the ACL. Regards, Karen Ji Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. This posting is provided "AS IS" with no warranties, and confers no rights.

I am still a bit unsure on what MBSA (Microsoft Baseline Security Analyzer) actually reports then in it's Share - Directory ACL column then? For example I have a share called data. If I run a command such as dir \\localhost\data /s I get a directory listing for the data share. At the top level I see the following directories: <DIR> Database <DIR> Backup <DIR> Reports <DIR> Documentation So which directory is MBSA reporting "Directory ACL" listings on - as there are several parent folders in the share? Is MBSA saying the ACL is the same fo all of these parent directories? Or is the share itself classed as the parent directory, and MBSA is reporting on on that, and thus database, backup, reports, documentation etc are classed as child folders? If so MBSA isnt very helpful in determining which users can access files in the directories Database, Backup, Reports, Documentation etc? Is that correct?

Hi ia45460, What are you using MBSA for? Do you want to see which user have access to which directory on the shared folders? MBSA can scan for security vulnerabilities on computers that run Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. MBSA scans for common security misconfigurations in Windows, Internet Information Services (IIS), SQL Server, Internet Explorer, and Microsoft Office. MBSA is not used to determine which user have what access in the directory. You can use AccessEnum from Sysinternals to do so. You can download it from the link below. http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx Regards, Karen Ji Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi Karen, I am trying AccessEnum as we speak. I cannot see how enter a remote host in the directory i.e. \\localhost\share, it only allows for local or currently mapped drives? Do you have to map the drives first?

Hi Ia4560, Yes, if you want to scan a remote computer, you'll have to map a drive first using AccessEnum. Regards, Karen JiPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. This posting is provided "AS IS" with no warranties, and confers no rights.