XCACLS and Other Permissions Security Recovery Tools

by Darren Miller

Published on this site: March 4th, 2006 - See more articles from this month

You Have 50GB of Data to Move Along With Permissions Security

This article is about several tools that can save a Windows administrators you know what in the event of a large scale permissions security problem.

Here is a fictional scenario we can use to illustrate the use of the XCACLS tool. We need to move or copy 50GB worth of data that is comprised of several thousand directories containing hundreds of thousands of small files from one
storage system to another. These systems happen to part of a Windows 2000 Domain and permissions are quite granular in definition. We start the replication of that data using a favorite replication or synchronization tool and walk away or the evening. When we return the next day, everything has copied and all looks well. That is until you try to access the data.

The Data is Copied, But I Cannot Access it: Permissions Security Problem

What you did not know, until just now, is that the root directory of the drive that you copied the data to had the wrong permissions assigned to it. In addition, inheritance was configured such that any data that is placed on the drive is over written with the permissions of the root directory. In this case, it was an old account that no longer existed. Believe it or not, that can happen, and system administrators will know what I am talking about. Now you are left with trying to figure out what to do. Do I format the new drive, change the permissions and inheritance on the root directory so they are correct and start all over again? Do I make the changes on the root drive so they have the correct permissions and wait hours upon hours for the permissions to propagate? No, there is another, very fast way of resolving this issue with XCACLS or another tool called SUBINACL.

XCALCS Quickly Resets Permissions on Directories and Files

Becasue I have limited space in this article, I am going to use XCACLS as the tool to correct this problem. However, in complex permissions structures, you will most likely want to use SUBINACL to fix the issue. I will talk about SUBINACL briefly at the end of the article.

XCACLS as a very fast tool that can set, remove, add, and change permissions on files and directories. For instance, the following command replaces all existing access rights and accounts with that of "dmiller" on the file "file.txt" with read-only access: "xcalcs file.txt /Y /T /G domaindmiller:r". Although that is pretty easy and helpful, what about changing all my directories and files, which I have thousands of, to allow the domaindmiller account to have full access? To do this in a very fast fashion you could execute the following from the root directory of the drive: "for /d %g IN (*.*) DO xcacls "%g" /Y /T /G domaindmiller:f". This will go through every directory, subdirectory, and file and replace the current permissions with dmiller having full access to the object. You'll notice I put "" around the %g in the example. This is not required, but if you have directories that have names with spaces in them you will need to have the "".

What Other Ways Can I Use XCACLS to Change Security Permissions

To give you a few additional handy examples of how you can use this tool take a look at the follow command prompt methods for replacing, updating and removing accounts and permissions from large numbers of directories and files.

The following command replaces all existing access rights an accounts with that of dmiller with read only access rights: for /d %g IN (*.*) DO xcacls "%g" /Y /T /G domaindmiller:r

The following command does not replace existing account permissions, instead, it adds the account, in the example the local admin account, with read only permissions: for /d %g IN (*.*) DO xcacls "%g" /Y /E /T /G administrator:r

The following command removes the account "administrator" permissions from all directories, files, and subdirectories: for /d %g IN (*.*) DO xcacls "%g" /Y /E /T /R administrator

This command should update all the directories and their contents to allow Domain Admins full access: for /d %g IN (*.*) DO xcacls "%g" /Y /T /G "Domain Admins:f"

I did a test on my XP Pro workstation and was able to change the permissions on approximately 10000 directories and files in less 1 minute. On one of my servers I was able to achieve a 500% increase in speed. It is blazingly fast.

SUBINACL is More Complex But Man Can it Really Save ite Day

I cannot go into specifics about this tool in this article but I will tell you what it can do. And again, it does it very very fast. Using the same scenario as above, let's say that you had to fix the permissions on thousands of home directories. With SUBINACL, you can actually go to the original directories and files, use the tool to create what is called a "play file", a text file that contains the right account and permissions from the source files, then use that same file to tell SUBINACL to fix the permissions on the target storage system, the one with the screwed up permissions. It's quite the life saver if you ever find yourself in the type of predicament.

Also check out "CACLS". This command is inherent to Windows XP Professional.

Conclusion

These tools are contained in the Windows 2000 and 2003 server resource tool kit, however several of them also exist native to the Windows XP environment. Check them out if you don't already know about them. Even if you have no use for them right now it may save you hours of hard work and stress in the event of a future permissions problem.



Darren Miller is an Information Security Consultant with over seventeen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals. If you would like to contact Darren you can e-mail him at [email protected]. If you would like to know more about computer security please visit us at http://www.defendingthenet.com.