Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
User Access Check tool
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
User Access Check tool - 30.Apr.2008 11:48:55 AM
|
|
|
fixitchris
Posts: 93
Joined: 23.May2007
Status: offline
|
Here is a tool to help determine what access specific users have over the ISA proxy.
http://sync-io.net/ISAAccessChk.aspx
Comments are welcome.
|
|
|
|
|
RE: User Access Check tool - 30.Apr.2008 12:37:39 PM
|
|
|
elmajdal
Posts: 4793
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online
|
looks pretty cool !
I ran it on the local host machine and it ran perfectly.
But I tried to run it from a member machine ( not the local host ) and i got this error # : 80040154
Also as a feature request:
- how about if we can exported the results to excel or any other format ?
- Be able to run the Query for Groups and not only users.
< Message edited by elmajdal -- 30.Apr.2008 1:33:35 PM >
_____________________________
Tarek Majdalani
MVP -- ISA Firewalls
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: User Access Check tool - 30.Apr.2008 3:12:19 PM
|
|
|
elmajdal
Posts: 4793
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online
|
Hi fixitchris,
quote:
You need to install the ISA Server Manager on each PC running Access Check utility.
mmmm, I Got it, Thanks
quote:
1. I am planning to export to Excel or CSV. First, I want to determine whether I should show any other info.
Can you seperate the policies with the ALL Users Condition from the authenticated policies.
For example, i have a rule for my DC : allow > Protocols> from DC Computer Set > to External > ALL Users
This rule is for NTP, and it is not actually for the user i ran the query for. But it is shown in the report because of the condition ALL Users.
So , for the report to be more readable, seperate the authenticate and the anonymous access rules.
another example, i have a rule for my WSUS server.
Allow > protocols > From WSUS Server > To Windows Update Servers > ALL Users.
again the rule is shown for the user.
I hope i made my point clear into this point.
_____________________________
Tarek Majdalani
MVP -- ISA Firewalls
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: User Access Check tool - 30.Apr.2008 3:23:41 PM
|
|
|
fixitchris
Posts: 93
Joined: 23.May2007
Status: offline
|
Update:
1. Windows Group Filter Added (does not match on groups within groups),
2. Optional 'Include All Users Userset' condition,
3. Automatic domain name retrieval via WMI (initial startup might be 2 seconds slower)
4. Fixes to matching users to appropriate policies.
http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip
Separating the All Users condition is a good idea. I will treat is as anonymous access since if JoeSmith logged on to your DC, he would have elevated access for the NTP protocol. Am I correct in assuming that?
Would it be overkill to include all properties of FPCAccessProperties such as protocols, content type in the report?
http://msdn.microsoft.com/en-us/library/ms812840.aspx
< Message edited by fixitchris -- 30.Apr.2008 4:17:02 PM >
|
|
|
|
|
RE: User Access Check tool - 30.Apr.2008 4:26:04 PM
|
|
|
elmajdal
Posts: 4793
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online
|
Thanks for the updates.
By the way, why areyou not reporting Deny rules ?
quote:
Would it be overkill to include all properties of FPCAccessProperties such as protocols, content type in the report?
http://msdn.microsoft.com/en-us/library/ms812840.aspx
What this require more time to collect ? would it affect ISA Server performance, services ?
Maybe If you want to implement it , to have this option in a checkbox , as you have done with ALL Users, or maybe have a seperate TAB for it.
_____________________________
Tarek Majdalani
MVP -- ISA Firewalls
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: User Access Check tool - 30.Apr.2008 5:25:56 PM
|
|
|
fixitchris
Posts: 93
Joined: 23.May2007
Status: offline
|
I am excluding DENY rules because I have a domain set with over 40000 domain names that I am denying. I will include an option to also show deny rules.
I will slowly implement reporting of Protocols and Content Types.
|
|
|
|
|
RE: User Access Check tool - 1.May2008 4:43:51 AM
|
|
|
ITEngineer
Posts: 253
Joined: 3.Feb.2006
Status: offline
|
Hello.
I have more than 3000 users in AD, how about if you put on the left side the OUs inside AD, which we can expand and select the user or group inside that OU.
|
|
|
|
|
RE: User Access Check tool - 1.May2008 9:26:40 AM
|
|
|
fixitchris
Posts: 93
Joined: 23.May2007
Status: offline
|
I will change over the AD object list to a treeview format like in ADUC mmc.
|
|
|
|
|
RE: User Access Check tool - 1.May2008 12:15:49 PM
|
|
|
ITEngineer
Posts: 253
Joined: 3.Feb.2006
Status: offline
|
hi,
a print button also would be nice feature to add
|
|
|
|
|
RE: User Access Check tool - 1.May2008 12:28:39 PM
|
|
|
fixitchris
Posts: 93
Joined: 23.May2007
Status: offline
|
Print or export will be coming. I'm still figuring out what output to collect.
ITENG: double click an OU to reveal users and groups.
< Message edited by fixitchris -- 1.May2008 12:32:30 PM >
|
|
|
|
|
RE: User Access Check tool - 2.May2008 4:25:49 AM
|
|
|
ITEngineer
Posts: 253
Joined: 3.Feb.2006
Status: offline
|
Hello again, are you willing to develop other free add on for ISA Server ?
Do you already have other ideas ?
|
|
|
|
|
RE: User Access Check tool - 2.May2008 8:31:23 AM
|
|
|
fixitchris
Posts: 93
Joined: 23.May2007
Status: offline
|
Of course I can develop more software.
Did you check out my MalwareDomains.com Import Tool?
http://sync-io.net/MD2ISA.aspx
Actually I was thinking of writing an IDS plug-in to ISA, but Snort3.0 is coming out at the end of the year and it would be pointless for me to compete with that.
Also an asp.net web page based on the Access Check Tool would be nice so that each domain user can check their own Internet access without having to ask the admin for a list of allowed domains.
|
|
|
|
|
RE: User Access Check tool - 2.May2008 5:23:51 PM
|
|
|
elmajdal
Posts: 4793
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online
|
Hi,
But what if we dont want to have an output file with every query !!
I just want to run a query and go on. Let there be a button for exporting the results, If i want the results to be written on a file, i would click the export or generate report button.
_____________________________
Tarek Majdalani
MVP -- ISA Firewalls
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: User Access Check tool - 2.May2008 10:51:34 PM
|
|
|
fixitchris
Posts: 93
Joined: 23.May2007
Status: offline
|
The export does not take up any more time, it is interwoven with displaying the results. Why do you not want the CSV to be exported?
How about a checkbox that you can check off for export before you run the query?
I think that should be sufficient, otherwise I would have to create a separate thread for Allowed, Denied, and Disabled tabs so that the process of displaying thousands of records on the screen would be transparent to the user.
chris
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
Looks like a storm knocked out my server. File will be back later. 