|
piszczynski>Aleks |
Line 1: |
Line 1: |
|
| |
|
| == File Permissions iCACLS Copy Export Modify == | | == Addresses and Policies == |
| | Make sure when adding any policy or address it is also added to the policy or address that you are trying to affect. |
|
| |
|
| File permissions can be managed in CMD with the iCACLS tool.
| | == CLI Commands == |
| | Ping - can also be used as nslookup |
| | *exec ping <ip address or FQDN> |
|
| |
|
| Get file/folder permissions:
| | == FQDN addresses == |
| *icacls <path>
| |
| Grant Modify Permission:
| |
| *icacls <path> /grant <user>:M
| |
|
| |
|
| Details of permissions:
| | Check for resolved IP addresses for all FQDN addresses in CLI: |
| <pre>
| | *diagnose firewall fqdn list |
| iCACLS inheritance settings:
| |
|
| |
|
| (OI) — object inherit;
| | ==Add Bulk IPs to fortigate via CLI== |
| (CI) — container inherit;
| | check this guide: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Creation-and-addition-of-bulk-IP-address-objects/ta-p/241823 |
| (IO) — inherit only;
| |
| (NP) — don’t propagate inherit;
| |
| (I) — permission inherited from the parent container.
| |
| | |
| List of basic access permissions:
| |
| | |
| D — delete access;
| |
| F — full access;
| |
| N — no access;
| |
| M — modify access;
| |
| RX — read and execute access;
| |
| R — read-only access;
| |
| W — write-only access.
| |
| </pre>
| |
| Save and copy permissions to file to apply to other files:
| |
| *icacls <path> /save <pathtosavepermissions> /t
| |
| | |
| Restore or copy saved permissions from file:
| |
| *icals <path> /restore <pathtosavedpermissions>
| |
| | |
| | |
| == File Permissions Powershell Get-Acl Set-Acl == | |
| | |
| Permissions can be managed with Powershell get-acl cmdlet
| |
| *Get-Acl <path>
| |
| | |
| Copy permissions from one file to another:
| |
| *$acl = Get-Acl -path <pathtocopypermisssionsfrom>
| |
| **$acl | Set-Acl -path <pathtocopypermissionsto>
| |
| | |
| If you need to add permissions but dont have permissions to copy from you can create an object containing the permissions:
| |
| *New-Object Security.AccessControl.FileSystemAccessRule('IdentityReference\String','FileSystemRights','InheritanceFlags, PropagationFlags','AccessControlType')
| |
| | |
| Details on the options:
| |
| *IdentityReference\String — user or group name (use the following principal format: domain\user)
| |
| *FileSystemRights — permission (for example, Read , Write , etc.)
| |
| *InheritanceFlags and PropagationFlags – these flags determine permission inheritance settings from the parent folder (more details about ACL propagation are described in the Microsoft documentation https://docs.microsoft.com/en-us/previous-versions/ms229747(v=vs.110)?redirectedfrom=MSDN)
| |
| *AccessControlType — allow or deny access to an object (Allow/Deny)
| |
| | |
| Example:
| |
| <pre>
| |
| # get current NTFS permissions
| |
| | |
| $current_acl = Get-ACL -Path "C:\Docs"
| |
| | |
| # create an object with new NTFS permissions
| |
| | |
| $new_acl = New-Object System.Security.AccessControl.FileSystemAccessRule('domiain\user', 'Read', 'ContainerInherit, ObjectInherit', 'None', 'Allow')
| |
| | |
| # add new permissions to the current ACL
| |
| | |
| $current_acl.AddAccessRule($new_acl)
| |
| | |
| # Apply an ACL to a folder
| |
| | |
| Set-ACL -Path "C:\Docs" -ACLObject $current_acl
| |
| </pre>
| |