Check Access to Databases, Sensitive Documents
April is Records and Information Management Month, and we at JTM Technology use this time to remind our clients to be proactive with their information security. In other words, we are making sure our clients' security belt and suspenders are still fitting tightly. In this article, we'll look at a few tools you can use to check user and group access to databases and documents sensitive to your business.
We are making sure our clients' security belt and suspenders are still fitting tightly.
Use PowerShell to Get Your Answers
You can piece together a couple of PowerShell cmdlets to get important security information. We'll look specifically at two right now.
Get-ADComputer and Get-ADCUser cmdlets
For users' status:
Get-ADUser -Filter* | Select Name, Enabled
For computers' status:
Get-ADComputer -Filter* | Select Name, Enabled
These scripts will list the names and status of all the users and computers in the domain.
The Get-ADUser cmdlet gets a specified user object or performs a search to get multiple user objects. Here are some examples:
Example 1: Get all of the users in a container
PowerShell
PS C:\> Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"
This command gets all users in the container OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM.
Example 2: Get a filtered list of users
PowerShell
PS C:\> Get-ADUser -Filter 'Name -like "*SvcAccount"' | Format-Table Name,SamAccountName -A
Name SamAccountName
---- --------------
SQL01 SvcAccount SQL01
SQL02 SvcAccount SQL02
IIS01 SvcAccount IIS01
This command gets all users that have a name that ends with SvcAccount.
Example 3: Get all of the properties for a specified user
PowerShell
PS C:\> Get-ADUser -Identity ChewDavid -Properties *
Surname : David
Name : Chew David
UserPrincipalName :
GivenName : David
Enabled : False
SamAccountName : ChewDavid
ObjectClass : user
SID : S-1-5-21-2889043008-4136710315-2444824263-3544
ObjectGUID : e1418d64-096c-4cb0-b903-ebb66562d99d
DistinguishedName : CN=Chew David,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM
This command gets all of the properties of the user with the SAM account name ChewDavid.
For more information on this, please visit:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-aduser?view=windowsserver2019-ps
The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.
The Identity parameter specifies the Active Directory computer to retrieve. You can identify a computer by its distinguished name, GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a computer object variable, such as $
A very useful way to use this cmdlet is the following:
The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.
The Identity parameter specifies the Active Directory computer to retrieve. You can identify a computer by its distinguished name, GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a computer object variable, such as $
A very useful way to use this cmdlet is the following:
Get-ADComputer -Filter {(Enabled -eq $False)} -ResultPageSize 1000 -ResultSetSize $null -Server
The important part here is: -Filter {(Enabled -eq $False)} - which highlights any accounts where the enabled property is set to false ... meaning disabled accounts. Run this and make sure that, indeed, all of the accounts that SHOULD BE disabled are assigned that way.
More information for use on this very powerful cmdlet can be found here: https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adcomputer?view=windowsserver2019-ps
SQL Server Stored Procedure
sp_revokelogin
This stored procedure removes the login entries from SQL Server for a Windows user or group created by using CREATE LOGIN, sp_grantlogin, or sp_denylogin. If during your auditing you are unclear whether a login is in need of access, or you feel like the login is a security risk, run this stored procedure to remove it.
Here's an example of its use:
EXEC sp_revokelogin 'Corporate\MollyA';
Stay tuned for more tips on keeping your information secure. Call JTM Technology at 855-JTM-TECH for more information.