In this article, we'll provide an overview for Malformed Permission Analysis Rule.

 

Malformed Permission

Detects folders where NTFS permissions are not working correctly, due to ACL ordering issues or orphaned inheritance.

Malformed Permissions is only supported on the following content sources:

  • Windows File Servers (WFS)
  • Common Internet File Systems (CIFS)

 

Malformed Permission FAQ

1. Why is "permissions are corrupted" appearing in the issue detail section of a Malformed Permission anomaly detection?

Canonical order of ACEs background:

The rules for canonical ordering of ACEs (Access Control Entries) are as follows:

  1. Across all types of ACEs, deny takes precedence over allow ACEs
  2. Explicit ACEs take precedence over inherited ones
  3. Within inherited ACEs, the closer ACE takes precedence over the farther one i.e. ACE inherited from the parent is first, followed by the one from the grandparent and so on.

Malformed Permissions identifies ACEs that violate this ordering based on rules 1 and 2 above. Violating rules 1 or 2 above will trigger a Malformed Permission detection.

Malformed Permission can not detect a violation of rule 3

 

2. How do ACEs end up in non-canonical order?

When using the standard Windows GUI to modify, add, delete permissions non-canonical issue will never happen. However, there are older APIs that are still used by other tools that could write ACEs to disk which are in the incorrect order (icacls tool in older Windows Server versions can be used to create such ACEs)