Auditing SMB Shares with PowerShell

Audit local SMB shares with PowerShell by checking both Share and NTFS permissions against a list of high-risk security principals. The script logs compliance results as structured events in the Windows Event Log, making it easy to integrate with monitoring and SIEM solutions.

Share
Auditing SMB Shares with PowerShell

Misconfigured SMB shares are a common security risk. This script audits all local file shares, checks both Share and NTFS permissions, compares them against a list of predefined high-risk principals (such as Everyone, Authenticated Users, and Domain Users), and writes the compliance result directly to the Windows Event Log.

Script

# Audit-SharesAndPermissions.ps1
# Dieses Skript sammelt Informationen über freigegebene Ordner und deren Berechtigungen

try {
    $LogName = 'Application'
    $Source = 'Windows Share Auditing'

    $EventNonCompliant = @{
        EventId   = 42000
        EntryType = "Warning"
        LogName   = $LogName
        Source    = $Source
    }

    $EventCompliant = @{
        EventId   = 42001
        EntryType = "Information"
        LogName   = $LogName
        Source    = $Source
    }

    $badPrincipals = @(
        "Everyone","Jeder",
        "Authenticated Users","Authentifizierte Benutzer",
        "Domain Users","Domänen-Benutzer",
        "Users","Benutzer",
        "Guest","Gast",
        "BUILTIN\Users",
        "BUILTIN\Guests","Gäste",
        "BUILTIN\Pre-Windows 2000 Compatible Access",
        "ANONYMOUS LOGON","Anonymes Anmelden",
        "NT AUTHORITY\INTERACTIVE",
        "NT AUTHORITY\NETWORK",
        "S-1-1-0",
        "S-1-5-7",
        "S-1-5-11",
        "S-1-5-32-545",
        "S-1-5-32-546",
        "S-1-5-32-554",
        "S-1-5-21-[0-9-]+-513"
    )

    if (-not [System.Diagnostics.EventLog]::SourceExists($Source)) {
        New-EventLog -LogName Application -Source $Source
    }

    $computer = $env:COMPUTERNAME
    $domain = (Get-CimInstance Win32_ComputerSystem).Domain
    $os = (Get-CimInstance Win32_OperatingSystem).Caption

    $shares = Get-SmbShare | Where-Object {
        $_.ShareType -eq 'FileSystem' -and $_.Path
    }

    foreach ($share in $shares) {

        $sharePerms = Get-SmbShareAccess -Name $share.Name | ForEach-Object {
            [PSCustomObject]@{
                AccountName = $_.AccountName
                AccessRight = $_.AccessRight
                IsBad       = $badPrincipals -contains $_.AccountName
            }
        }

        $isInsecure = $sharePerms.IsBad -contains $true

        $event = [PSCustomObject]@{
            Computername = "$computer.$domain"
            Domain       = $domain
            OS           = $os
            ShareName    = "\\$computer\$($share.Name)"
            SharePath    = $share.Path
            State        = if ($isInsecure) {
                "Compliance verification failed"
            }
            else {
                "Compliance check passed"
            }
        }

        if ($isInsecure) {
            Write-EventLog @EventNonCompliant -Message ($event | ConvertTo-Json)
        }
        else {
            Write-EventLog @EventCompliant -Message ($event | ConvertTo-Json)
        }
    }
}
catch {
    Write-Error $_
}
Note: The listing above is a shortened version for readability. The complete script additionally audits NTFS permissions, includes more robust error handling, and contains a more comprehensive list of well-known SIDs and localized account names.

What the script does

The script automatically:

  • Enumerates all local SMB file shares
  • Audits both Share and NTFS permissions
  • Detects insecure principals such as Everyone or Authenticated Users
  • Writes structured JSON events to the Windows Application Event Log
  • Creates the required event source automatically if necessary

Each audited share produces one of two events:

  • Event ID 42001 – Compliance check passed
  • Event ID 42000 – Compliance verification failed

Example Event

{
  "Computername": "SERVER01.example.local",
  "ShareName": "\\SERVER01\\Public",
  "SharePath": "D:\\Shares\\Public",
  "State": "Compliance verification failed"
}

The JSON payload can easily be consumed by Microsoft Sentinel, Splunk, Elastic, or any SIEM capable of monitoring Windows Event Logs.

Conclusion

Instead of generating static reports, this approach continuously publishes compliance information to the Windows Event Log. It integrates seamlessly into existing monitoring solutions and provides a lightweight way to detect insecure SMB share permissions across your server infrastructure.