SubInACL: Download and Deployment
Managing security is probably the number-one headache for Windows administrators. Between the file system, registry, and services, IT Pros have their hands full managing access control, especially if they want to script from the command line. There are certainly a number of command line tools to manage these different areas, but because I’m an old-school kind of guy, I tend to fall back to an old resource kit tool: SubInACL, or subinacl.exe, the veritable Swiss Army knife when it comes to managing permissions.
SubInACL: Download, Limitations, and Requirements
Because it’s not part of the operating system, you will first need to download the subinacl.axe tool. The download file is an MSI file which will install by default to C:\Program Files (x86)\Windows Resource Kits\Tools\. The tool is a single file that you can move to C:\Windows\System32 so that you always have access to it.
C:\Program Files (x86)\Windows Resource Kits\Tools>move subinacl.exe c:\windows\system32
Note: I need to point out that, officially, subinacl.exe is not supported on anything later than Windows Server 2003. But in my experience, I’ve never had a problem running it on newer operating systems. Still, I strongly recommend first testing in a non-production environment and understand that Microsoft may not be able to help you if you run into problems.
To use subinacl.exe, the assumption is that you have administrator credentials. If you are delegating administration using subinacl.exe, you will need to make sure the account has the following privileges:
- SeBackupPrivilege (Back Up Files and Directories)
- SeChangeNotifyPrivilege (Bypass Traverse Checking)
- SeRestorePrivilege (Restore Files and Directories)
- SeSecurityPrivilege (Manage Auditing and Security Log)
- SeTakeOwnershipPrivilege (Take Ownership of Files or Other Objects)
- SeTcbPrivilege (Act As Part of the Operating System)
Getting Help in SubInACL
I won’t sugar coat it: Subinacl.exe is a very complex tool. But fortunately the command help is thorough. One way to access the help is to open the subinacl.htm file (C:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.htm) that should also have been installed. I encourage you to take the time to read it.
From the command prompt you can get help directly from the tool.
C:\> subinacl /help
C:\>subinacl /help syntax C:\>subinacl /help /testmode C:\>subinacl /help /keyreg C:\>subinacl /help /display
Or to see really complete help run this:
C:\>subinacl /help /full
To use SubInACL, there are three components to a command. I’ll go over each one.
SubInACL /Option <options> /object <object> /action
The default option is simply to display what the command terms “statistic” in verbose mode. The statistic is how long it took the command to run. After running a command you’ll see something like this:
Elapsed Time: 00 00:00:00 Done: 1, Modified 0, Failed 0, Syntax errors 0 Last Done : \\serenity\work
If you don’t need this you can turn it off with /nostatistic. You may also want to turn off verbose mode (/noverbose) or direct output to a text file (/outputlog=mylog.txt).
Subinacl.exe can be used against a number of different object types such as files, shares, printers, registry items, and directories. Generally, you need to specify the type of object followed by a path to that object.
C:\>subinacl /noverbose /nostatistic /file c:\work
C:\>subinacl /share Work
Finally, as the name implies, the action is what you want to do with or to the object. The default action is to display the current permissions, which you can see in the screenshots above. But you might want to grant, modify, or remove permissions. SubInACL has its roots in the days when domain migrations presented challenges in transferring permissions. Perhaps you still run into that issue. If so, then subinacl.exe might be the right tool.
Let’s look at a sample usage. I have a share WORK where currently the Everyone group has READ access. I want to give the group CHANGE permission to the share. First, I can test my change.
C:\>subinacl /share Work /grant=Everyone=C /testmode Work : delete Perm. ACE 0 \everyone Work : new ace for \everyone Work (TestMode) : 2 change(s) Elapsed Time: 00 00:00:00 Done: 1, Modified 1, Failed 0, Syntax errors 0 Last Done : Work
This shows me that subinacl.exe wants to delete a permission and then apply a new one. The /testmode switch is like –WhatIf in PowerShell. Now to make the change for real, and I’ll have SubInACL ask me for confirmation.
C:\>subinacl /share Work /grant=Everyone=C /confirm Work : delete Perm. ACE 0 \everyone Work : new ace for \everyone 009044A8 : Continue (Yes,No) ?yes Work : 2 change(s) Elapsed Time: 00 00:00:13 Done: 1, Modified 1, Failed 0, Syntax errors 0 Last Done : Work
SubInACL can appear a bit daunting at first. But with a little patience and testing you can quickly get the hang of it. Fortunately, PowerShell in Windows 8 and Windows Server 2012 offer new tools to handle complex tasks where we might have used subinacl.exe in the past. But, if you run into a complicated permission issue, especially one you are trying to automate, subinacl.exe might be just what you need.
More in Security
Microsoft Defender for Individuals Gets New Identity Theft Monitoring Capabilities
Oct 4, 2022 | Rabia Noureen
Petri Dish: Cybersecurity vs IT Security with Devolutions
Sep 28, 2022 | Russell Smith
Stop MFA Fatigue with Additional Context and Number Matching for Microsoft Authenticator
Sep 22, 2022 | Rabia Noureen
Researchers Warn About New Shikitega Malware Targeting Linux Endpoints and IoT Devices
Sep 12, 2022 | Rabia Noureen
LastPass Confirms Internal Source Code Compromised in Security Breach
Aug 26, 2022 | Rabia Noureen
Avast Gets New Ransomware Shield to Protect Small Businesses
Aug 24, 2022 | Rabia Noureen
Most popular on petri