Case Study: Network auditing on a shoestring
Using Perl to document shares and file access.
By Paul Venezia, InfoWorld | InfoWorld | Published: 00:00, 19 June 2006
What do you do when the auditors are breathing down your neck, wanting to see an exhaustive report on the Windows network security of a 2000-user network across eight sites? That's easy. Break out a text editor and start writing some Perl.
That's what my colleague Matt Prigge and I did when we were tasked with locating every share available on a network and documenting who had access to their files. At first blush, it was a Herculean effort. When we started coding and the pieces began to fall into place, however, it became much simpler.
The first order of business was determining how the data would be stored. We opted to place everything in a MySQL database running on a Linux server, with all back-end code running on a Windows 2003 Server with ActivePerl - because the polling processes required the Win32 Perl APIs. The reporting and searching front end would be written in PHP (PHP: Hypertext Preprocessor) and run on another Linux server. Because the common ground was MySQL, this presented the easiest path.
The polling process first searched Active Directory for the list of Computer records. When these had been found, it used a Domain Admin account to inspect the relevant registry keys on every computer in the domain and search for open file shares. If any shares were found, the poller would walk the file share with Administrator privileges to determine the size of the share and catalogue the permissions on every folder to a depth of six directory levels.
The scripts would then insert all the data found for each share into the MySQL database, keyed on the machine name. Very quickly, the database grew very large, as it was inspecting not only known server shares but even shares on workstations that IT may not ever have known existed.
The polling process took several hours to complete every time it ran, so this process became a daily event, starting at 9am, when most workstations in the network were powered on and available via the network. The process located hundreds of shares and logged thousands of folders, files, and user access rights into the database.
To present this information in a relatively simple way, we wrote a PHP-based Web front end that allowed an administrator to search the database with a domain username, a computer name, a share name, or a folder name. Searching the database with a username or a Windows security group name would list every share that the user or group had access to, sorted by computer name. Additionally, the admin could drill down six levels deep in every share to find individual user permissions on specific folders in each share. The database was updated daily, so the information was always current, although time constraints eliminated the possibility of capturing historical data for later perusal.
To top it all off, the same PHP front end made possible a full dump of all share data, using CSS to present the entire database in a printable format. When the auditors came calling, we were able to present them with a stack of paper 3 inches thick, containing information about every share available on every computer in the network, cross-referenced with a list of every security group and every user in the organisation. If they needed to spot-check the data, the Web front end was ready and waiting. Needless to say, although we were fairly sure they didn't actually grasp what they were seeing, the auditor's report gave top marks to the IT department, and the IT director bought three rounds that night.