User Access Check tool

User Access Check tool (Full Version)

All Forums >> [ISA 2006 Misc.] >> ISA Firewall Tools

Message

fixitchris -> User Access Check tool (30.Apr.2008 11:48:55 AM)
Here is a tool to help determine what access specific users have over the ISA proxy. http://sync-io.net/ISAAccessChk.aspx Comments are welcome.

elmajdal -> RE: User Access Check tool (30.Apr.2008 12:37:39 PM)
looks pretty cool ! I ran it on the local host machine and it ran perfectly. But I tried to run it from a member machine ( not the local host ) and i got this error # : 80040154 Also as a feature request: how about if we can exported the results to excel or any other format ? Be able to run the Query for Groups and not only users.

tshinder -> RE: User Access Check tool (30.Apr.2008 1:35:06 PM)
Hi Tarek, Thanks for the heads up! Tom

fixitchris -> RE: User Access Check tool (30.Apr.2008 2:38:42 PM)
Tarek, You need to install the ISA Server Manager on each PC running Access Check utility. [image]http://sync-io.net/Images/ISA_UserAccessChk_comerr.JPG[/image] 1. I am planning to export to Excel or CSV. First, I want to determine whether I should show any other info. 2. Querying on Windows security groups will be added shortly. Thanks for the comments.

elmajdal -> RE: User Access Check tool (30.Apr.2008 3:12:19 PM)
Hi fixitchris, quote: You need to install the ISA Server Manager on each PC running Access Check utility. mmmm, I Got it, Thanks quote: 1. I am planning to export to Excel or CSV. First, I want to determine whether I should show any other info. Can you seperate the policies with the ALL Users Condition from the authenticated policies. For example, i have a rule for my DC : allow > Protocols> from DC Computer Set > to External > ALL Users This rule is for NTP, and it is not actually for the user i ran the query for. But it is shown in the report because of the condition ALL Users. So , for the report to be more readable, seperate the authenticate and the anonymous access rules. another example, i have a rule for my WSUS server. Allow > protocols > From WSUS Server > To Windows Update Servers > ALL Users. again the rule is shown for the user. I hope i made my point clear into this point.

fixitchris -> RE: User Access Check tool (30.Apr.2008 3:23:41 PM)
Update: 1. Windows Group Filter Added (does not match on groups within groups), 2. Optional 'Include All Users Userset' condition, 3. Automatic domain name retrieval via WMI (initial startup might be 2 seconds slower) 4. Fixes to matching users to appropriate policies. http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip Separating the All Users condition is a good idea. I will treat is as anonymous access since if JoeSmith logged on to your DC, he would have elevated access for the NTP protocol. Am I correct in assuming that? Would it be overkill to include all properties of FPCAccessProperties such as protocols, content type in the report? http://msdn.microsoft.com/en-us/library/ms812840.aspx

elmajdal -> RE: User Access Check tool (30.Apr.2008 4:26:04 PM)
Thanks for the updates. By the way, why areyou not reporting Deny rules ? quote: Would it be overkill to include all properties of FPCAccessProperties such as protocols, content type in the report? http://msdn.microsoft.com/en-us/library/ms812840.aspx What this require more time to collect ? would it affect ISA Server performance, services ? Maybe If you want to implement it , to have this option in a checkbox , as you have done with ALL Users, or maybe have a seperate TAB for it.

fixitchris -> RE: User Access Check tool (30.Apr.2008 5:25:56 PM)
I am excluding DENY rules because I have a domain set with over 40000 domain names that I am denying. I will include an option to also show deny rules. I will slowly implement reporting of Protocols and Content Types.

ITEngineer -> RE: User Access Check tool (1.May2008 4:43:51 AM)
Hello. I have more than 3000 users in AD, how about if you put on the left side the OUs inside AD, which we can expand and select the user or group inside that OU.

fixitchris -> RE: User Access Check tool (1.May2008 9:26:40 AM)
I will change over the AD object list to a treeview format like in ADUC mmc.

fixitchris -> RE: User Access Check tool (1.May2008 12:14:55 PM)
Update: http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip Added OU navigation and separated Users and Groups.

ITEngineer -> RE: User Access Check tool (1.May2008 12:15:49 PM)
hi, a print button also would be nice feature to add

ITEngineer -> RE: User Access Check tool (1.May2008 12:19:38 PM)
quote: ORIGINAL: fixitchris Update: http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip Added OU navigation and separated Users and Groups. Thank you for your quick updates [:)]

fixitchris -> RE: User Access Check tool (1.May2008 12:28:39 PM)
Print or export will be coming. I'm still figuring out what output to collect. ITENG: double click an OU to reveal users and groups.

fixitchris -> RE: User Access Check tool (1.May2008 4:32:37 PM)
UPDATE: http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip Added Automatic reporting. [image]http://sync-io.net/Images/ISAAccessChk1.jpg[/image] Improvements to GUI and user/group NT Account & SID filtering. [image]http://sync-io.net/Images/ISAAccessChk2.jpg[/image]

ITEngineer -> RE: User Access Check tool (2.May2008 4:25:49 AM)
Hello again, are you willing to develop other free add on for ISA Server ? Do you already have other ideas ?

fixitchris -> RE: User Access Check tool (2.May2008 8:31:23 AM)
Of course I can develop more software. Did you check out my MalwareDomains.com Import Tool? http://sync-io.net/MD2ISA.aspx Actually I was thinking of writing an IDS plug-in to ISA, but Snort3.0 is coming out at the end of the year and it would be pointless for me to compete with that. Also an asp.net web page based on the Access Check Tool would be nice so that each domain user can check their own Internet access without having to ask the admin for a list of allowed domains.

fixitchris -> RE: User Access Check tool (2.May2008 11:44:59 AM)
[:@] Looks like a storm knocked out my server. File will be back later. Updated: Includes separate tabs for Allowed, Denied, and Disabled rules. I ran it with 42000 entries : - querying data took 15-25 seconds, - displaying data and writing a CSV file took 6 minutes, - CSV file was 3.5MB. When the # of entries reaches 5000, you will be asked whether or not you want to create the CSV and omit displaying the data. Choose YES and the data will only be saved to the CSV.

elmajdal -> RE: User Access Check tool (2.May2008 5:23:51 PM)
Hi, But what if we dont want to have an output file with every query !! I just want to run a query and go on. Let there be a button for exporting the results, If i want the results to be written on a file, i would click the export or generate report button.

fixitchris -> RE: User Access Check tool (2.May2008 10:51:34 PM)
The export does not take up any more time, it is interwoven with displaying the results. Why do you not want the CSV to be exported? How about a checkbox that you can check off for export before you run the query? I think that should be sufficient, otherwise I would have to create a separate thread for Allowed, Denied, and Disabled tabs so that the process of displaying thousands of records on the screen would be transparent to the user. chris

Page: [1] 2 next > >>