๐ PowerShell ๅปบ็ซไผๆฅญๆชๆกๅไบซ็ฐๅข:ACL、็พค็ตๅ็ฎก็、ๅญๅ็จฝๆ ธ่้ฒๆญข่ณๆๅคๆดฉ
ๅจไผๆฅญไธญๅปบ็ฝฎๆชๆกไผบๆๅจ(File Server),ๆๆ ธๅฟ็ๆ่กๅจๆผๅไบซ่จญๅฎ(SMB Share)、 NTFS ๆฌ้(ACL)、็พค็ตๅ็ฎก็、ไปฅๅๅญๅ็จฝๆ ธ(Audit)。 ่ฅ่ฝ้้ PowerShell ่ชๅๅ้ไบๆต็จ,ไธๅ ่ฝๆถ้คๆๅ่จญๅฎ้ฏ่ชค,ไน่ฎๅคๅฐไผบๆๅจ็้จ็ฝฒๆดไธ่ดๅ。
ๆฌ็ฏๆทฑๅบฆๅฎๆด่งฃๆ Windows ๆชๆกไผบๆๅจๅปบ็ฝฎๆต็จ,ๅ ๅซ:
- ๐ ๅฎ่ฃ File Server ่ง่ฒ
- ๐ ๅปบ็ซ่ณๆๅคพๆถๆง:้จ้ / ๅฐๆก / ๅ ฌ็จ
- ๐ ไฝฟ็จ PowerShell ๅปบ็ซ SMB Share
- ๐ ไปฅ็พค็ต็บไธญๅฟ็ NTFS ACL ๆฌ้ๆจกๅ
- ๐ ๅ็จ็จฝๆ ธ่ Log ๅๆ
- ๐ ้ฒๆญข่ณๆๅคๆดฉ็่จญๅฎ(Access-Based Enumeration、้ปๆๅฑ้ชๆชๆก)
๐งฑ Part 1:ๅฎ่ฃ File Server ่ง่ฒ
ๅจ Windows Server ไธญ,File Server ่ง่ฒๅฏไปฅ้้ GUI ๆ PowerShell ๅฎ่ฃ。่ฅ่ฆ่ ณๆฌ่ชๅๅ,่ซไฝฟ็จ:
# ๅฎ่ฃ File Server ่ง่ฒ
Install-WindowsFeature -Name FS-FileServer -IncludeManagementTools
็ขบ่ช่ง่ฒๅทฒๅฎ่ฃ:
Get-WindowsFeature FS-FileServer
๐ Part 2:ไผๆฅญ่ณๆๅคพๆถๆง(ๅปบ่ญฐ)
D:\FileShares\
├── Public\
├── HR\
├── Finance\
├── IT\
└── Project\
├── P001\
├── P002\
└── P003\
ๅปบ็ซ่ณๆๅคพ:
New-Item -Path "D:\FileShares\Public" -ItemType Directory
New-Item -Path "D:\FileShares\HR" -ItemType Directory
New-Item -Path "D:\FileShares\Finance" -ItemType Directory
๐ฅ Part 3:ไผๆฅญ็ด AD ็พค็ตๆฌ้ๆจกๅ
ๅคงๅไผๆฅญๆก็จ「AGDLP ๆจกๅ」:
- Accounts(ไบบๅก)
- Global Groups(้จ้็พค็ต)
- Domain Local Groups(ๆฌ้็พค็ต)
- Permissions(ACL ๅฅ็จ)
ๅปบ็ซ็พค็ต(็ฏไพ):
# ๅปบ็ซ้จ้็พค็ต
New-ADGroup -Name "GG-HR" -GroupScope Global -Path "OU=Groups,DC=corp,DC=local"
New-ADGroup -Name "GG-Finance" -GroupScope Global -Path "OU=Groups,DC=corp,DC=local"
# ๅปบ็ซๆฌ้็พค็ต
New-ADGroup -Name "DL-HR-Modify" -GroupScope DomainLocal -Path "OU=Groups,DC=corp,DC=local"
New-ADGroup -Name "DL-FIN-Read" -GroupScope DomainLocal -Path "OU=Groups,DC=corp,DC=local"
# ๅฐ GG ๅ ๅ
ฅ DL
Add-ADGroupMember -Identity "DL-HR-Modify" -Members "GG-HR"
Add-ADGroupMember -Identity "DL-FIN-Read" -Members "GG-Finance"
๐ Part 4:ๅปบ็ซ SMB Share(ๅซ Access-Based Enumeration)
ๅปบ็ซ HR ่ณๆๅคพ็ๅ ฑไบซ:
New-SmbShare -Name "HR" -Path "D:\FileShares\HR" -FullAccess "DL-HR-Modify" -ReadAccess "DL-HR-Read" -EncryptData $true
ๅ็จ Access-Based Enumeration(ๆชๆๆฌ่ ็ไธๅฐ่ณๆๅคพๅ็จฑ):
Set-SmbShare -Name "HR" -FolderEnumerationMode AccessBased
็ขบ่ช่จญๅฎๆๅ:
Get-SmbShare -Name "HR" | fl *
๐ Part 5:่จญๅฎ NTFS ๆฌ้(ACL)
ๅฐๆฌ้ๆไบ DL ็พค็ต:
# ๅๅพ็ฎๅ ACL
$acl = Get-Acl "D:\FileShares\HR"
# ่จญๅฎๅญๅ่ฆๅ(Modify ๆฌ้)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DL-HR-Modify","Modify","ContainerInherit,ObjectInherit","None","Allow")
# ๅฅ็จ
$acl.AddAccessRule($rule)
Set-Acl -Path "D:\FileShares\HR" -AclObject $acl
็ตฆไบ Read ๆฌ้:
$acl = Get-Acl "D:\FileShares\Finance"
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("DL-FIN-Read","ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.AddAccessRule($rule)
Set-Acl "D:\FileShares\Finance" $acl
๐ต️ Part 6:ๅ็จ็จฝๆ ธ(Audit)่ฟฝ่นค่ชฐ่ฎ/ๅฏซ่ณๆ
็ฌฌไธๆญฅ:ๅ็จๆฌๆฉ็จฝๆ ธ็ญ็ฅ Auditing:
auditpol /set /subcategory:"File System" /success:enable /failure:enable
็ฌฌไบๆญฅ:ๅจ HR ่ณๆๅคพไธๅ ไธ็จฝๆ ธ่ฆๅ:
$acl = Get-Acl "D:\FileShares\HR"
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule("GG-HR","Write","ContainerInherit,ObjectInherit","None","Success")
$acl.AddAuditRule($auditRule)
Set-Acl "D:\FileShares\HR" $acl
้ๆจฃๅณๅฏๅจ Security Log ็ๅฐ:่ชฐๆฐๅข、ไฟฎๆน、ๅช้คๆชๆก。
๐ซ Part 7:้ฒๆญข่ณๆๅคๆดฉ(DLP ๅบ็ค)
- Access-Based Enumeration:ๆชๆๆฌ็่ณๆๅคพ็ดๆฅ้ฑ่。
- ้ปๆๅฑ้ชๅฏๆชๅไธ่ผ(ๅฆ exe、bat、ps1)
- ๅผทๅถ SMB ๅ ๅฏ(้ฟๅ ็ถฒ่ทฏๅฐๅ ็ซ่ฝ)
- ไฝฟ็จ File Screening(FSRM)้ปๆ็นๅฎๆชๆก้กๅ
ๅ็จ SMB ๅ ๅฏ:
Set-SmbServerConfiguration -EncryptData $true -Force
้ปๆๅฏๅท่กๆช(FSRM):
Import-Module FileServerResourceManager
New-FsrmFileGroup -Name "BlockExe" -IncludePattern @("*.exe","*.bat","*.ps1")
New-FsrmFileScreen -Path "D:\FileShares\Public" -FileGroup "BlockExe" -Active:$true
๐ ็ต่ช
PowerShell ่ฝๅฐๆดๅไผๆฅญๆชๆกไผบๆๅจ็ๅปบ็ฝฎๆต็จ่ชๅๅ,้ฟๅ ๆๅ่จญๅฎ้ฏ่ชค,ไน่ฎๆฌ้็ฎก็ๆดไธ่ด่ๅฎๅ จ。 ๆฌ็ฏๆถต่SMB Share、NTFS ACL、็พค็ตๅ็ฎก็、็จฝๆ ธ、ๅคๆดฉ้ฒ่ญท็ญไผๆฅญๆๅธธไฝฟ็จ็้ ็ฝฎๆนๆณ, ๅฏไฝ็บไผๆฅญ IT、MIS ่็ณป็ตฑ็ฎก็ๅก้จ็ฝฒ Windows File Server ็ๆจๆบ่ๅ。
ๆฒๆ็่จ:
ๅผต่ฒผ็่จ