Jump to content
Sign in to follow this  

Backing up security descriptors

Recommended Posts


TL;DR - I'd like to know if anyone has something like this already or knows of a commercial product that can backup and restore everything about all the files and folders on a volume quickly and consistently (including ACLs, Auditing, Attributes, Ownership, and Timestamps).

Before I reinvent the wheel, I'm wondering if anyone is aware of a backup software (preferably enterprise-class) that can backup everything about a file, except the data itself. Currently, the only utility we've found to consistently do this, that includes the ownership and auditing information, is robocopy. Even some major products like SecurityExplorer, that have some very nice automation and centralization features, do not support auditing and ownership, and have expressed that they have no interest in adding this functionality.

The problem with using robocopy, is that it only deals with file objects, so in order to create an ACL backup we have to have a filesystem carved out where it can create zero-byte files to match each source file, as a placeholder for all the information about the source file. This results in millions of zero-byte files, which actually use one NTFS cluster per file, so there can be a significant space requirement.

In the absence of a tool specifically built to do this, that has all the features we need, I've decided to first check here, then begin designing my own program to do it. Since I'm going to all this trouble, I figure I'll make it a little more robust than we need it so it can be used by just about anyone. I have a lot of it already built in snippets from other scripts I've written. The part that's hanging me up at the moment is the format of the security descriptors (SACL and DACL) and how to effectively store those in a database. I'm checking code on the forums from ptrex and others. I'm pretty sure my problem is I've convinced myself it's more complicated than it is.

Below are the requirements for what I have planned:

  • Scriptable as a standalone executable
  • Uses a user-configurable number of multiple processes for speed
  • Supports multiple types of databases (ODBC, MS-SQL, mysql, SQLite, even CSV's maybe, etc)
  • Can copy directly to matching, or zero-byte files like robocopy does (multiple processes would make it better than robocopy in this mode)
  • Records all the information about each file: security (ACLs & ACEs), Auditing, Attributes, Ownership, Timestamps
  • Able to restore these properties
  • Configurable notification via email, SMS, net send, etc.

  • A GUI for interactive use of the application on a single machine
  • Runs as a service (found arcker's Service UDF for this! ^_^ )
  • A central management console that would use the database, but could communicate to the service on a machine via TCP/IP to start a verification or check a set of files and folders in real-time (though this might be feasible simply by using the schedules in the database to schedule an immediate operation and keep the DB schedule polling interval low on the machine with the service)
  • Internal scheduler with the schedules specified in the database and/or local files
The core of this, that I'm working on now, would just be a single command-line executable like robocopy, that's not dependent on things outside of the core Windows XP/2003 or higher OS (even WMI if I can avoid it), operates efficiently (uses parallel processes, and is at least as fast as robocopy), supports databases for storage, and will perform backups and restores cleanly. Edited by c0deWorm

My UDFs: ExitCodes

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this