Permissions Verifier version 1.0 allows you to define a group of tasks that check permissions and privileges, and to select which tasks will execute at run time. Permissions Verifier provides sample XML configuration files that you can use to verify permissions on a server running Internet Information Services (IIS). You can expand on these sample files to enable the tool to check Access Control Lists (ACLs) and permissions for users and groups. This allows you to verify that permissions issues are not causing Web server problems. You can further customize the sample XML configuration files to add tasks and to change the tasks that are performed. In addition, you can create new XML configuration files and define new tasks and XML tags.
Permissions Verifier can perform five predefined tasks, which are specified in the sample XML configuration files installed with the tool:
- Check file system ACLs with FileSystem.xml
- Check registry key ACLs with Registry.xml
- Check metabase ACLs with Metabase.xml
- Check user privileges with RightsPolicies.xml
- Check IIS minimum permissions with IIS6MinPermsVerif.xml
The Permissions Verifier files are saved in the LocalDrive:\Program Files\IIS Resources\Permissions Verifier directory. By default, this directory has an ACL set that restricts access to members of the Administrators group. This ACL is set as a security measure to prevent individuals who are not members of the Administrators group from gaining access to restricted information that was obtained from previous executions of Permissions Verifier by an administrator.
The following XML sample configuration files, which perform checks on permissions and privileges, are installed with Permissions Verifier and are saved in the LocalDrive:\Program Files\IIS Resources\Permissions Verifier\Samples directory:
- FileSystem.xml, which performs file system permissions checks -
The FileSystem.xml file contains a sample filesystem check type (which examines file system permissions). This sample configuration file provides the syntax to check that the Administrator group has Full Control, the System group has Full Control, and the Users group has Read Access.
You can extend this XML file to check for the permissions of other users, including custom users, and groups.
- Registry.xml, which checks the permissions stored in the registry -
The Registry.xml file contains a sample registry check type (which checks permissions stored in the registry). This sample file checks that the following ACLs are set for the registry path HKLM\System\CurrentControlSet\Services\IISAdmin:
- Administrators: Full Control
- System: Full Control
- You can extend the file to check for the ACLs on other registry paths.
- Metabase.xml, which checks the permissions stored in the metabase -
The Metabase.xml file contains a sample metabase check type (which checks permissions stored in the metabase). This sample file checks that the /w3svc/AllowKeepAlive setting is set to True.
You can expand the file to check for other metabase settings.
- RightsPolicies.xml, which performs policy checks -
The RightsPolicies.xml file contains a sample policy check type (which checks a privilege expressed as a policy). This sample file checks only that the SeInteractiveLogonRight privilege (log on locally) is assigned to the Administrators group, the ASPNet account, and the IUSR_ComputerName account.
You can expand the file to check the rights and policies for other groups and accounts.
- IIS6MinPermsVerif.xml, which performs server permission checks
Syntax
Permissions Verifier uses the following syntax:
Permissions Verifier.js [-Tag:Value] [-Log:Value] [-Verbose:Value] [-Config:Value] [-Logdir:Value]
Parameters
-Tag:IIS | comma-delimited list
Specifies the name or names of tags used to group tasks. IIS is the default value. You can include multiple
tag names in a comma-delimited list. For complete lists of attribute values that can be assigned as tag names,
see Examples. If you list multiple tag names, a logical AND condition is implied. For example:
Tag:IIS runs any group of tasks that explicitly has the following characteristics:
-OR-
without
Tag:IIS,ASP.NET runs any group of tasks that explicitly has the following characteristics:
AND
-OR-
without OR
-Log:text | no
Specifies whether Permissions Verifier logs all output to a log file, and, if so, the format of the log file.
The default is text, which directs Permissions Verifier to report the data returned by the check along with a
date stamp and save it as a Unicode-encoded text file.
-Verbose:no | yes
Specifies that Permissions Verifier should report additional information that can be used for debugging during
execution. Permissions Verifier does not provide guidance for interpreting the additional information.
-Config:Default.xml | filename
Specifies the custom XML configuration file that Permissions Verifier should use. Use this parameter to specify
only custom XML files that contain different checks than those provided by Permissions Verifier. The XML
configuration file that you specify must be in either the same directory as Permissions Verifier.js or in a
subdirectory of the directory that contains Permissions Verifier.js.
-LogDir:current directory | any directory
Specifies where the Permissions Verifier log that is produced when the tool is run should be saved.
System Requirements
Permissions Verifier runs on the Microsoft® Windows NT® 4.0 with Service Pack 6 or later operating systems, and on the Windows® 2000, Windows XP Professional, and Windows Server 2003 operating systems.
Sample
Permissions Verifier relies on an XML configuration file to specify the tasks it should perform and the includes/excludes tag names that provide logical groupings for the tasks. Permissions Verifier uses the tags in the -Tag: command to match and select the logical group of tasks to be executed. The selected tasks are processed and executed by custom-defined functions.
The following example of an XML configuration file conducts checks, then conducts additional, conditional checks based on the results of the first checks:
<iischecker>
<checks>
<tags>
<include value="IIS" />
<include value="W2K" />
</tags>
<check type="filesystem">
<path name="%WINDIR%\System32\inetsrv\a*.dll" />
<token type="user/group" name="administrator" permission="Read,ReadAndExecute,Write,Modify,Full" />
<token type="user/group" name="System" permission="Full" />
<token type="user/group" name="Users" permission="Read,ReadAndExecute" />
</check>
<check type="metabase">
<path name="/W3SVC" />
<token type="user/group" name="Everyone" permission="Read" />
</check>
<check type="registry">
<path name="HKLM\System\CurrentControlSet\Services\IISAdmin" />
<token type="user/group" name="Administrators" permission="FullControl" />
<token type="user/group" name="System" permission="Read,FullControl" />
</check>
<check type="policy">
<privilege name="SeBatchLogonRight" />
<token type="user/group" name="IUSR_MACHINENAME" />
<token type="user/group" name="IWAM_MACHINENAME" />
</check>
</checks>
<checks>
<tags>
<include value="W2K" />
<exclude value="IIS" />
</tags>
<check type="analysis">
<analysis>
<predicates>
<predicate name="/KeyType" value="IIsWebVirtualDir" />
<predicate name="/AuthAnonymous" value="true" />
</predicates>
<check type="filesystem">
<path name="/Path" />
<token name="/AnonymousUserName" permission="Read" />
</check>
</analysis>
</check>
</checks>
</iischecker>
