NTFS

This article presents two different detection types for insecure filesystem permissions on Windows endpoints: scanning for directories that are user-writable, and detecting processes that are started from user-writeable directories. Directory Scan With ListUserWriteableDirectories & SetACL My ListUserWriteableDirectories script is an implementation of the first detection type: it scans the filesystem listing any permissions not known to be safe.

When dealing with Windows NTFS file system permissions, one quickly encounters the SYNCHRONIZE access right, the purpose of which may not be obvious. SYNCHRONIZE belongs to the standard access rights, just like DELETE, READ_CONTROL, WRITE_DAC and WRITE_OWNER.

This is an attempt at demystification. In the Windows world, links in the file system are often regarded as obscure, except for the infamous .LNK files, of course. But file system links are neither freaky UNIX/Linux command line stuff, nor are they new: Microsoft’s OS offers two types of links since Windows 2000 and a third type since Vista/Server 2008. And boy, can they come in handy!

It is a common practice amongst administrators to disable the creation of short filenames on NTFS. I freely admit to have recommended this in the past. Was I wrong? Background