'======================================================================================================== '======================================================================================================== ' ### Script: acl_content.vbs ' ### ScriptVersion: 1 ' ### Created: 04/16/04 ' ### Group: AHS ' ### Contact: tim at blackpondfarm.com ' ### Description: recurses through all directories and subdirectories in a path and applies deny acls ' ### Description: unless a directory is in an exempt path. '======================================================================================================== '======================================================================================================== Option Explicit On error resume next Dim wshNetwork,wshShell,wshFile Dim strServer Dim objArgs Dim strinputFile,strOutputFile Dim objDictionary Dim strPath,objFolder,subdir Dim Position,Line Dim Drive,Target Set objDictionary = CreateObject("Scripting.Dictionary") Set Wshnetwork = wscript.CreateObject("Wscript.Network") Set Wshshell = wscript.CreateObject("Wscript.shell") Set Wshfile = wscript.CreateObject("Scripting.FileSystemObject") 'Make sure the host is cscript, IF not THEN set default to cscript IF instr(1, wscript.fullname, "cscript.exe", 1) = 0 THEN VerifyCscript() Set objArgs = WScript.Arguments If objArgs.Count <> 2 Then wscript.echo "Usage: acl_content.vbs " wscript.echo "" wscript.echo "Recurses through all directories and subdirectories in a path and applies deny ACLs" wscript.echo "unless a directory is in an exempt path." wscript.echo "" wscript.echo "Uses exception file of CompanyA_paths.txt for CompanyA content, life_paths.txt for Life content," wscript.echo "or CompanyB_paths.txt for content to be secured from CompanyB." wscript.quit Else strServer = objArgs(0) Target = lcase(objArgs(1)) strinputFile = Target & "_paths.txt" End If if lcase(strServer) = "localhost" THEN strServer = WshShell.ExpandEnvironmentStrings("%computername%") get_disks IF Drive <> "C$\" THEN Drive = "E$\" strOutputFile = strServer & "-" & Target & ".log" strPath = lcase("\\" & strServer & "\" & drive & "webcontent\") DoNext strPath = lcase("\\" & strServer & "\" & drive & "staging\") DoNext Screenout "Completed at " & Time & " " & Date wscript.quit '======================================================================================================== '======================================================================================================== sub DoNext screenout "Applying " & Target & " ACL's to " & strPath Screenout "Starting " & Time & " " & Date & " on server " & strServer screenout "Logging to " & strOutputFile If (Wshfile.fileexists(strOutputFile)) Then Wshfile.deletefile(strOutputFile) screenout "Reading list of directories from " & strInputFile BuildFilter() 'If we're securing CompanyA content, then also add Life content 'to our exception list so we don't apply ACL's IF Target = "CompanyA" THEN strinputFile = "life_paths.txt" BuildFilter() END IF screenout "Preparing to ACL directories..." wscript.sleep 2000 screenout "" Recursedir(strPath) END SUB '======================================================================================================== '======================================================================================================== Function BuildFilter() On error resume next Dim wshTempFile 'Build a list of directories to skip 'Open filter file Set wshtempfile = wshfile.OpenTextFile(strInputFile, 1) If Err.Number <> 0 Then screenout Err.Description ELSE Do While wshtempfile.AtEndOfStream <> true 'Parse Line to convert it from a URL to a NetBIOS path Line = lcase(wshtempFile.ReadLine) Position = instr(Line,"://") Line = mid(Line,position+3) Position = instr(Line,"/") Line = mid(Line,position+1) Position = len(Line) Line = left(Line,position) 'Convert / to \ in paths IF INSTR(Line,"/") THEN Position = instr(Line,"/") Line = left(Line,position-1) & "\" & mid(Line,position+1) IF INSTR(Line,"/") THEN Position = instr(Line,"/") Line = left(Line,position-1) & "\" & mid(Line,position+1) END IF END IF Line = trim(Line) 'strip trailing "\" dim temp temp = right(Line,2) IF INSTR(temp,"\") THEN Line = LEFT(Line,len(Line)-2) IF objDictionary.exists(Line) THEN screenout "Discarding " & Line ELSE objDictionary.Add Line,1 screenout Line END IF loop END IF wshtempfile.Close wscript.DisconnectObject wshtempfile Set wshtempfile = Nothing end Function '======================================================================================================== '======================================================================================================== Function Recursedir(strPath) On error resume next Dim Line,Position,BaseDir,Recurse 'Get our root folder Set objFolder = wshFile.GetFolder(strPath) 'Get subdirectories, and recurse For Each subdir in objFolder.subFolders subDir = lcase(subDir) 'Parse our Line to match format of dictionary IF Instr(subdir,"$\") THEN Position = instr(subdir,"$\") Line = lcase(mid(subdir,Position+2)) Position = instr(Line,"\") Line = lcase(mid(Line,position+1)) END IF Line = trim(Line) 'Grab our base directory to ACL subdirectories IF Instr(Line,"\") THEN Position = instr(Line,"\") BaseDir = lcase(Left(Line,Position-1)) ELSE BaseDir = lcase(Line) END IF 'Check to see if Line matches exempt list IF objDictionary.exists(BaseDir) THEN 'The Line IS in our list Select case Target Case "life" 'Secure the directory for Life, skip FrontPage directories IF INSTR(subDir,"\_") THEN wscript.echo "Skipping FrontPage dir " & Line ELSE FixACL(subDir) FixFiles(subDir) END IF Recurse="YES" Case "CompanyB" 'Secure the directory against CompanyB, skip FrontPage directories IF INSTR(subDir,"\_") THEN wscript.echo "Skipping FrontPage dir " & Line ELSE FixACL(subDir) FixFiles(subDir) END IF Recurse="YES" Case "CompanyA" 'Target is CompanyA, so we DONT touch this directory or subdirectories Screenout "Exempt directory, skipping \" & Line & "\" Recurse="NO" END Select ELSE 'The Line is NOT in our list IF Target = "CompanyA" THEN 'Secure the directory for CompanyA, apply ACLs, recurse IF INSTR(subDir,"\_") THEN wscript.echo "Skipping FrontPage dir \" & Line ELSE FixACL(subDir) FixFiles(subDir) END IF RECURSE = "YES" ELSE 'Target is Life or CompanyB, so we DONT touch this directory or subdirectories Screenout "Not a CompanyB directory, skipping \" & Line & "\" Recurse="NO" END IF END IF IF INSTR(subDir,"\_") THEN 'do nothing ELSE IF Recurse = "YES" THEN Recursedir(lcase(subdir)) END IF next end Function '======================================================================================================== '======================================================================================================== Function FixACL(subdir) On error resume next dim Temp,strCmdLine,Group 'Set group for perms, unless we're in the lab Group = "CompanyA_MASTER\IISLCODeny" if lcase(left(strServer,1))="l" THEN Group = "LAB_MASTER\IISLCODENY" Select CASE Target Case "CompanyA" 'IF IISLCODENY already exists, skip, otherwise apply acls ' temp = wshshell.Run("cmd /c ""xcacls """ & subdir & """ |findstr /i /c:" & group,0,true) ' IF Temp = 0 THEN ' screenout Group & " ACLs already exists on " & subdir ' ELSE screenout "Adding DENY ACL to " & subdir temp = wshshell.Run("cmd /c xcacls """ & subdir & """ /E /D " & group,0,true) ' END IF 'IF Everyone exists, replace with Authenticated Users 'temp = wshshell.Run("cmd /c ""xcacls """ & subdir & """ |findstr /c:""Everyone""",0,true) 'IF Temp = 0 THEN ' screenout "Removing Everyone from " & subdir ' temp = wshshell.Run("cmd /c xcacls """ & subdir & """ /E /R ""Everyone""",0,true) 'Check for authenticated users, add if it isn't already there ' temp = wshShell.Run("cmd /c ""xcacls """ & subdir & """ |findstr /c:""NT AUTHORITY\Authenticated Users""",0,true) ' IF Temp = 0 THEN ' 'Found Authenticated Users, we're done ' ELSE ' screenout "Adding Authenticated Users to " & subdir ' temp = wshShell.Run("cmd /c xcacls """ & subdir & """ /E /G ""NT AUTHORITY\Authenticated Users:R""",0,true) ' END IF 'END IF Case "life" wscript.echo "Checking " & subdir 'IF Authenticated Users exists, replace with IISLCODENY temp = wshshell.Run("cmd /c ""xcacls """ & subdir & """ |findstr /c:""NT AUTHORITY\Authenticated Users""",0,true) IF Temp = 0 THEN screenout "Replacing Authenticated Users with " & group & " on " & subdir temp = wshshell.Run("cmd /c xcacls """ & subdir & """ /E /R ""NT AUTHORITY\Authenticated Users""",0,true) temp = wshshell.Run("cmd /c xcacls """ & subdir & """ /E /G " & group & ":R" ,0,true) END IF 'IF Everyone exists, replace with IISLCODENY temp = wshshell.Run("cmd /c ""xcacls """ & subdir & """ |findstr /c:""Everyone""",0,true) IF Temp = 0 THEN screenout "Found Everyone on " & subdir temp = wshshell.Run("cmd /c xcacls """ & subdir & """ /E /R ""Everyone""",0,true) temp = wshshell.Run("cmd /c xcacls """ & subdir & """ /E /G " & group & ":R" ,0,true) END IF Case "CompanyB" 'IF IISLCODENY already exists, skip, otherwise apply acls screenout "Adding DENY ACL to " & subdir temp = wshshell.Run("cmd /c xcacls """ & subdir & """ /E /D " & group,0,true) END SELECT end Function '======================================================================================================== '======================================================================================================== Function FixFiles(subdir) On error resume next dim Temp,strCmdLine,Group,strFile,subfolder Group = "CompanyA_MASTER\IISLCODENY" if lcase(left(strServer,1))="l" THEN Group = "LAB_MASTER\IISLCODENY" Select CASE Target Case "CompanyA" Set subFolder = wshFile.GetFolder(subdir) For each strFile in subfolder.files 'IF IISLCODENY already exists, skip, otherwise apply acls 'temp = wshshell.Run("cmd /c ""xcacls """ & strFile & """ |findstr /c:"" & group & """,0,true) 'IF Temp = 0 THEN ' screenout Group & " ACLs already exists on " & strFile 'ELSE screenout "Adding DENY ACL to " & strFile temp = wshshell.Run("cmd /c xcacls """ & strFile & """ /E /D " & group,0,true) 'END IF ' 'IF Everyone exists, replace with Authenticated Users ' temp = wshshell.Run("cmd /c ""xcacls """ & strFile & """ |findstr /c:""Everyone""",0,true) ' IF Temp = 0 THEN ' screenout "Removing Everyone from " & strFile ' temp = wshshell.Run("cmd /c xcacls """ & strFile & """ /E /R ""Everyone""",0,true) ' ' 'Check for authenticated users, add if it isn't already there ' temp = wshShell.Run("cmd /c ""xcacls """ & strFile & """ |findstr /c:""NT AUTHORITY\Authenticated Users""",0,true) ' IF Temp = 0 THEN ' 'Found Authenticated Users, we're done ' ELSE ' screenout "Adding Authenticated Users to " & strFile ' temp = wshShell.Run("cmd /c xcacls """ & strFile & """ /E /G ""NT AUTHORITY\Authenticated Users:R""",0,true) ' END IF ' END IF Next Case "life" Set subFolder = wshFile.GetFolder(subdir) For each strFile in subfolder.files wscript.echo "Checking " & strFile 'IF Authenticated Users exists, replace with IISLCODENY temp = wshshell.Run("cmd /c ""xcacls """ & strFile & """ |findstr /c:""NT AUTHORITY\Authenticated Users""",0,true) IF Temp = 0 THEN screenout "Replacing Authenticated Users with " & group & " on " & strFile temp = wshshell.Run("cmd /c xcacls """ & strFile & """ /E /R ""NT AUTHORITY\Authenticated Users""",0,true) temp = wshshell.Run("cmd /c xcacls """ & strFile & """ /E /G " & group & ":R" ,0,true) END IF 'IF Everyone exists, replace with IISLCODENY temp = wshshell.Run("cmd /c ""xcacls """ & strFile & """ |findstr /c:""Everyone""",0,true) IF Temp = 0 THEN screenout "Found Everyone on " & strFile temp = wshshell.Run("cmd /c xcacls """ & strFile & """ /E /R ""Everyone""",0,true) temp = wshshell.Run("cmd /c xcacls """ & strFile & """ /E /G " & group & ":R" ,0,true) END IF next Case "CompanyB" Set subFolder = wshFile.GetFolder(subdir) For each strFile in subfolder.files 'IF IISLCODENY already exists, skip, otherwise apply acls screenout "Adding DENY ACL to " & strFile temp = wshshell.Run("cmd /c xcacls """ & strFile & """ /E /D " & group,0,true) Next Case ELSE END SELECT end Function '======================================================================================================== '======================================================================================================== Function screenout(text) Dim wsherrorlogfile On Error Resume Next wscript.echo text If (Wshfile.fileexists(strOutputFile)) Then Set wsherrorlogfile = Wshfile.OpenTextFile(strOutputFile, 8) wsherrorlogfile.writeLine (text) wsherrorlogfile.Close wscript.DisconnectObject wsherrorlogfile Set wsherrorlogfile = Nothing If Err.number <> 0 Then Err.Clear Else Set wsherrorlogfile = Wshfile.createtextfile(strOutputFile, 1) wsherrorlogfile.writeLine (text) wsherrorlogfile.Close wscript.DisconnectObject wsherrorlogfile Set wsherrorlogfile = Nothing If Err.number <> 0 Then Err.Clear End If End Function '======================================================================================================== '======================================================================================================== Function Get_Disks dim objDrives,objDisk,Temp,INST Set objDISK = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer).ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE Description = 'Local Fixed Disk'") For Each INST in ObjDISK drive = inst.DeviceID & drive next IF InStr(1,drive,"E",1) Then drive = "E$\" ELSE drive = "C$\" END IF END FUNCTION '======================================================================================================== '======================================================================================================== Function VerifyCscript() Dim temp REM ###### Sets up Vbscript to always run in command window ###### temp = MsgBox ("The script is changing your default output of Windows Scripting Host to the command prompt." &_ vbCrLf & "This is pop up is normal, just re-run the script after the third pop-up.", 0, "WSH default changed to cscript.") temp = wshshell.Run("cmd /c ""wscript //h:cscript //nologo //s 1>nul 2>nul""", 0, true) wscript.quit EXIT function END Function '======================================================================================================== '========================================================================================================