Build a Safe File Server Permission Audit with PowerShell

Expected Outcome

You will produce a comprehensive report detailing file share permissions, a list of unauthorized access candidates, and an actionable remediation plan to secure your file server.

Assumptions

• Windows Server with PowerShell installed
• Administrative access to the file server
• Basic knowledge of PowerShell scripting

Bill of Materials

• PowerShell ISE or Visual Studio Code with PowerShell extension
• Access to the file server
• CSV file handling capabilities

Build Steps

1. Gather File Share Permissions

   Retrieve the permissions of all file shares on the server using PowerShell.

   Safe to run: read-only

   $shares = Get-WmiObject -Class Win32_Share | Where-Object { $_.Type -eq 0 }
   $permissions = foreach ($share in $shares) { foreach ($entry in (Get-Acl $share.Path).Access) { [pscustomobject]@{ ShareName = $share.Name; Path = $share.Path; Identity = [string]$entry.IdentityReference; Rights = [string]$entry.FileSystemRights; AccessType = [string]$entry.AccessControlType; Inherited = $entry.IsInherited } } }

2. Identify Unauthorized Access

   Filter the permissions report to identify users or groups that should not have access based on your organization's policy.

   Example pattern only. Adjust for your environment before running.

   $authorizedUsers = @('Domain\AuthorizedUser1', 'Domain\AuthorizedUser2')
   $unauthorizedUsers = $permissions | Where-Object { $_.Identity -notin $authorizedUsers }

3. Export Remediation Candidates

   Export the list of unauthorized users to a CSV file for review and remediation planning.

   Example pattern only. Adjust for your environment before running.

   $unauthorizedUsers | Export-Csv -Path 'C:\path\to\export\remediation_candidates.csv' -NoTypeInformation

4. Review and Remediate Permissions

   Open the exported CSV file, review the unauthorized access candidates, and prepare a remediation plan to adjust permissions accordingly.

   Changes system state: review before running

   Start-Process 'C:\path\to\export\remediation_candidates.csv'

5. Add owner and exception columns

   Create a working copy that lets the file owner mark approved exceptions before any ACL remediation is planned.

   Example pattern only. Adjust for your environment before running.

   $review = Import-Csv 'C:\path\to\export\remediation_candidates.csv'
   $review | ForEach-Object { $_ | Add-Member -NotePropertyName DataOwner -NotePropertyValue '' -PassThru | Add-Member -NotePropertyName ApprovedException -NotePropertyValue '' -PassThru | Add-Member -NotePropertyName RemediationTicket -NotePropertyValue '' -PassThru } | Export-Csv 'C:\path\to\export\permission_review_working.csv' -NoTypeInformation

6. Archive audit evidence

   Save the raw export and working copy together so later remediation can be traced back to the original evidence.

   Example pattern only. Adjust for your environment before running.

   Compress-Archive -Path 'C:\path\to\export\*.csv' -DestinationPath 'C:\path\to\export\file-share-permission-audit.zip' -Force

Validation

• Verify the exported CSV file contains the expected list of unauthorized users.
• Cross-check the permissions against your organization's access policy to ensure compliance.

Troubleshooting

• If Get-Acl fails for a share path, confirm the share still has a local path and that the audit account can read permissions.
• If group names are unclear, expand nested groups in a separate report before recommending ACL changes.
• If the export is empty, verify that the authorized user list is not too broad.

Cleanup or Rollback

• This lab is intended to be read-only. Do not modify ACLs from the audit script.
• Remove temporary CSV files from shared locations after the review package is archived.
• Store the ZIP evidence in the ticket or access-review repository according to retention policy.

Next Improvements

• Schedule regular audits to maintain file share security.
• Implement a monitoring system for real-time permission changes.
• Consider automating the audit process with scheduled PowerShell scripts.