Utility Spotlight: Secure Access, Secure Your Systems
The free AccessChk utility can you help ensure your desktop systems are as secure as possible by cross-referencing access rights.
Securing client desktop systems and servers is a priority in any organization. It can also be a complex task requiring multiple tools and tactics. You now have another arrow in your security quiver—a handy Microsoft utility called AccessChk, created by the renowned Windows Sysinternals developer Mark Russinovich.
AccessChk can tell you what permissions specific users and groups hold for different files, folders, Registry keys, Windows services and other objects. It’s a useful way to determine whether you need to tighten or restrict access to any of those items to ensure that a local desktop or server environment is as secure as possible.
Download AccessChk from its page at the Sysinternals site. You’ll also find a brief description and overview of the utility. Extract the downloaded accesschk.zip file to unload two files—accesschk.exe, the file you need to run the utility; and eula.txt, the license agreement.
Like all Sysinternals programs, you don’t need to install the program. AccessChk is a command-line utility, however, so you’ll need to open a command prompt to run the executable file. For ease of use, you’ll probably want to store the file in a folder that’s part of your path statement, such as Windows or Windows\System32.
Type accesschk at the command line by itself or with a /? option to display all the variables available to the tool. Here are some of the basic ways you can use the command:
- By folder: Type accesschk followed by a folder name to display the access privileges for all user groups for that specific folder and its subfolders. For example, accesschk c:\windows shows you the access for the Windows folder and all subfolders (see Figure 1).
- By Registry Key: Add the –k option followed by the name of a Registry key to display who has access to that particular key. For example, accesschk -k HKLM\software shows you all permissions for the Software key under HKEY_LOCAL_MACHINE.
- By Windows service: Add the –c option followed by the name of a Windows service to display the list of users with access to that service. For example, accesschk –cnetlogon shows the privileges for the Netlogon service.
- By user group: Type accesschk followed by a specific user group and the name of a folder to see the permission levels for that group for all objects in the specified folder. For example, accesschk users c:\windows shows you the access levels for all members of the “users” group for the Windows folder and its subfolders.
- By user: Type accesscheck followed by a specific username to display the permissions for that user. For example, accesschk administrator c:\windows shows the permissions for the administrator’s account for the Windows folder, while accesschk administrator -k HKLM\Software shows the access for the admin account to the software key under HKEY_LOCAL_MACHINE.
Figure 1 Accesschk can show you who has access to any particular file or folder.
You can also use the * symbol with some of these commands to display access for all items, instead of just specific ones. For example, accesschk * shows access for all objects in the current folder for all users, while accesschk –c * shows access for all Windows services.
You can also use the –s option to show recursive permissions for the specific folder and all subfolders and files, or the specific Registry key and all keys beneath it. For example,accesschk –s c:\ displays permissions for the entire C: drive, while accesschk –s –k HKLM displays the access for all keys under HKEY_LOCAL_MACHINE.
These variations are just some of the basics available in AccessChk. The tool is capable of displaying even more information. You can find a full list at the Sysinternals page or by typing accesschkat the command prompt and experimenting with different options. AccessChk will display the name of the item you specified and its permissions. There will be an R in front of the item if the account has read access, W if it has write access and nothing if has no permissions.
Ideally, you should run this tool on all your desktop systems. Instead of using the sneakernet approach, you can include the command and the necessary options in a login script or other automated process to run on each PC.
To record the access results for all your networked PCs in individual text files, simply pipe the output to a text file that contains the computer name. For example, accesschk c:\windows >\\winserver\files\%computername%.txt pipes the results for each individual PC to a text file with the name of the computer and stores that text file in a share called files on a server named winserver.
As a command-line utility, AccessChk can sometimes be tricky to run, especially if you need to combine or define permissions for specific objects or include several options all at once. Still, it’s a powerful tool capable of showing your access levels on a very granular level. This information is extremely helpful in setting the appropriate access levels and making sure your environment is as safe and secure as possible.
Lance Whitney is a writer, IT consultant and software trainer. He’s spent countless hours tweaking Windows workstations and servers. Originally a journalist, he took a blind leap into the IT world in the early ’90s.