• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

User Access Check tool

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Tools >> User Access Check tool Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
User Access Check tool - 30.Apr.2008 11:48:55 AM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
Here is a tool to help determine what access specific users have over the ISA proxy.

http://sync-io.net/ISAAccessChk.aspx


Comments are welcome.
Post #: 1
RE: User Access Check tool - 30.Apr.2008 12:37:39 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
looks pretty cool !

I ran it on the local host machine and it ran perfectly.

But I tried to run it from a member machine ( not the local host ) and i got this error  # : 80040154

Also as a feature request:
  1. how about if we can exported the results to excel or any other format ?
  2. Be able to run the Query for Groups and not only users.


< Message edited by elmajdal -- 30.Apr.2008 1:33:35 PM >


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to fixitchris)
Post #: 2
RE: User Access Check tool - 30.Apr.2008 1:35:06 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tarek,

Thanks for the heads up!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to elmajdal)
Post #: 3
RE: User Access Check tool - 30.Apr.2008 2:38:42 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
Tarek,

You need to install the ISA Server Manager on each PC running Access Check utility.


1.   I am planning to export to Excel or CSV.  First, I want to determine whether I should show any other info.

2.   Querying on Windows security groups will be added shortly.

Thanks for the comments.

(in reply to elmajdal)
Post #: 4
RE: User Access Check tool - 30.Apr.2008 3:12:19 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi fixitchris,

quote:

  You need to install the ISA Server Manager on each PC running Access Check utility.


mmmm, I Got it, Thanks

quote:

1.   I am planning to export to Excel or CSV.  First, I want to determine whether I should show any other info. 


Can you seperate the policies with the  ALL Users Condition from the authenticated policies.

For example,  i have a rule for my DC : allow > Protocols> from DC Computer Set > to External > ALL Users

This rule is for NTP, and it is not actually for the user i ran the query for. But it is shown in the report because of the condition ALL Users.

So , for the report to be more readable, seperate the authenticate and the anonymous access rules.


another example, i have a rule for my WSUS server.

Allow > protocols > From WSUS Server > To Windows Update Servers > ALL Users.

again the rule is shown for the user.

I hope i made my point clear into this point.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to fixitchris)
Post #: 5
RE: User Access Check tool - 30.Apr.2008 3:23:41 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
Update:
1.  Windows Group Filter Added (does not match on groups within groups),
2.  Optional 'Include All Users Userset' condition,
3.  Automatic domain name retrieval via WMI (initial startup might be 2 seconds slower)
4.  Fixes to matching users to appropriate policies.

http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip


Separating the All Users condition is a good idea.  I will treat is as anonymous access since if JoeSmith logged on to your DC, he would have elevated access for the NTP protocol.  Am I correct in assuming that?

Would it be overkill to include all properties of FPCAccessProperties such as protocols, content type in the report?
http://msdn.microsoft.com/en-us/library/ms812840.aspx

< Message edited by fixitchris -- 30.Apr.2008 4:17:02 PM >

(in reply to elmajdal)
Post #: 6
RE: User Access Check tool - 30.Apr.2008 4:26:04 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Thanks for the updates.

By the way, why areyou  not reporting Deny rules ?

quote:

Would it be overkill to include all properties of FPCAccessProperties such as protocols, content type in the report?
http://msdn.microsoft.com/en-us/library/ms812840.aspx


What this require more time to collect ? would it affect ISA Server performance, services ?

Maybe If you want to implement it , to have this option in a checkbox , as you have done with ALL Users, or maybe have a seperate TAB for it.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to fixitchris)
Post #: 7
RE: User Access Check tool - 30.Apr.2008 5:25:56 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
I am excluding DENY rules because I have a domain set with over 40000 domain names that I am denying.  I will include an option to also show deny rules.

I will slowly implement reporting of Protocols and Content Types.

(in reply to elmajdal)
Post #: 8
RE: User Access Check tool - 1.May2008 4:43:51 AM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
Hello.

I have more than 3000 users in AD, how about if you put on the left side the OUs inside AD, which we can expand and select the user or group inside that OU.

(in reply to fixitchris)
Post #: 9
RE: User Access Check tool - 1.May2008 9:26:40 AM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
I will change over the AD object list to a treeview format like in ADUC mmc.

(in reply to ITEngineer)
Post #: 10
RE: User Access Check tool - 1.May2008 12:14:55 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
Update:
http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip

Added OU navigation and separated Users and Groups.

(in reply to ITEngineer)
Post #: 11
RE: User Access Check tool - 1.May2008 12:15:49 PM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
hi,


a print button also would be nice feature to add

(in reply to fixitchris)
Post #: 12
RE: User Access Check tool - 1.May2008 12:19:38 PM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
quote:

ORIGINAL: fixitchris

Update:
http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip

Added OU navigation and separated Users and Groups.


Thank you for your quick updates

(in reply to fixitchris)
Post #: 13
RE: User Access Check tool - 1.May2008 12:28:39 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
Print or export will be coming.  I'm still figuring out what output to collect.

ITENG: double click an OU to reveal users and groups.

< Message edited by fixitchris -- 1.May2008 12:32:30 PM >

(in reply to ITEngineer)
Post #: 14
RE: User Access Check tool - 1.May2008 4:32:37 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
UPDATE: http://www.sync-io.net/Files/ISA_UserAccessChk_Binary.zip
 
Added Automatic reporting.



Improvements to GUI and user/group NT Account & SID filtering.


(in reply to ITEngineer)
Post #: 15
RE: User Access Check tool - 2.May2008 4:25:49 AM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
Hello again, are you willing to develop other free add on for ISA Server ?

Do you already have other ideas ?

(in reply to fixitchris)
Post #: 16
RE: User Access Check tool - 2.May2008 8:31:23 AM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
Of course I can develop more software. 
Did you check out my MalwareDomains.com Import Tool?
http://sync-io.net/MD2ISA.aspx

Actually I was thinking of writing an IDS plug-in to ISA, but Snort3.0 is coming out at the end of the year and it would be pointless for me to compete with that.

Also an asp.net web page based on the Access Check Tool would be nice so that each domain user can check their own Internet access without having to ask the admin for a list of allowed domains.



(in reply to ITEngineer)
Post #: 17
RE: User Access Check tool - 2.May2008 11:44:59 AM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
 Looks like a storm knocked out my server.  File will be back later.
 
Updated: 

Includes separate tabs for Allowed, Denied, and Disabled rules.

I ran it with 42000 entries :
- querying data took 15-25 seconds,
- displaying data and writing a CSV file took 6 minutes,
- CSV file was 3.5MB.

When the # of entries reaches 5000, you will be asked whether or not you want to create the CSV and omit displaying the data.  Choose YES and the data will only be saved to the CSV. 

< Message edited by fixitchris -- 2.May2008 12:11:35 PM >

(in reply to fixitchris)
Post #: 18
RE: User Access Check tool - 2.May2008 5:23:51 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi,

But what if we dont want to have an output file with every query !!

I just want to run a query and go on. Let there be a button for exporting the results, If i want the results to be written on a file, i would click the export or generate report button.



_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to fixitchris)
Post #: 19
RE: User Access Check tool - 2.May2008 10:51:34 PM   
fixitchris

 

Posts: 148
Joined: 23.May2007
Status: offline
The export does not take up any more time, it is interwoven with displaying the results.  Why do you not want the CSV to be exported?

How about a checkbox that you can check off for export before you run the query?

I think that should be sufficient, otherwise I would have to create a separate thread for Allowed, Denied, and Disabled tabs so that the process of displaying thousands of records on the screen would be transparent to the user.

chris

(in reply to elmajdal)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Misc.] >> ISA Firewall Tools >> User Access Check tool Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts