Check out 3 ways to help your grad celebrate in the age of social distancing | Windows Experience Blog

‘Tis the season for high school and college graduations, but how do you help your grad celebrate while following social distancing guidelines to keep us all safe? Schools around the world are responding in different ways, with some conducting online ceremonies or offering drive through diploma pickup, while others are postponing commencement until it can be safely held in person.
Whichever way your loved one graduates, Windows and other teams at Microsoft are providing three ways to help them celebrate. Throw a virtual graduation party, create a graduation photo album to give them as a gift, or host a Class of 2020 awards night. For step-by-step instructions on each, head over to the Windows Home and Family blog post.

Accelerating innovation in Windows 10 to meet customers where they are | Windows Experience Blog

Three months ago, I took on the role of leading Windows and Devices. What excited me about this was the opportunity to bring together our incredible teams to work on a product that a billion people all over the world rely on every day to work, learn, create and have fun. Since taking on the role, the world has changed in a way that many of us are still adjusting to. I am adapting to working from home, collaborating with our teams remotely and having my four children learning from home.

From hitting the milestone of 1 billion Windows 10 monthly active devices to announcing the May 2020 Update that is coming soon, I feel a tremendous sense of pride and gratitude to see the team’s relentlessness and growth mindset culture at work to push forward supporting our customers and each other.
As a team we have been spending a lot of time with our customers, OEM partners and teams inside and outside of the company listening and learning. The feedback we are hearing is energizing, and if one thing is clear it is that Windows plays a critical role in helping people navigate the times we are in. Customers are using Windows PCs to stay productive, connect and learn in this time. In fact, over 4 trillion minutes are being spent on Windows 10 a month, a 75% increase year on year.
As the world and people’s routines are changing, it is important that we focus on meeting our customers where they are now and helping them get to where they want to be in the future.
Shipping the Windows 10 May 2020 Update
A great step the team is taking to meet customers where they are is with the Windows 10 May 2020 Update, coming free, as always, to every Windows 10 PC starting this month.
In this update, we are going to make some things easier and faster for our customers like introducing a more streamlined way to pair Bluetooth devices in Windows. With my full house, I am thrilled to have anything that makes connecting my family’s devices easier, like my noise cancelling headphones to focus while working from home. We are bringing practical improvements in the bigger things, like an improved tablet experience when you detach your 2-in-1’s keyboard, allowing you to keep the familiarity of your desktop while at the same time optimizing for touch*. As always, we are continuing our focus on empowering everyone with Windows, and with the May 2020 Update we are bringing “drag and drop” to those who use our Eye Control functionality**. We are even bringing in some fun, like making more kaomoji available directly in the Windows emoji keyboard. ☜(゚ヮ゚☜)
For those of you who are Windows Insiders, you have gotten to try many of these new features even sooner. Thank you for helping us shape the future of Windows. If you are not a Windows Insider yet, we invite you to join us.
Accelerating innovation in Windows 10
The May 2020 Update is just the first step though. As a team, we are committed to delivering meaningful innovation in ways that matter most to the billion people around the world relying on Windows right now. That is why, in this holiday and the next, we are going to accelerate innovation in Windows 10 to ensure that Windows devices are the best way to work, learn and play. We are going to make important improvements in every one of those areas.
With that increased focus comes a shift in priorities for Windows too. The world is a very different place than it was last October when we shared our vision for a new category of dual-screen Windows devices. As we continue to put customers’ needs at the forefront, we need to focus on meeting customers where they are now. Our customers are leveraging the power of the cloud more than ever, and we believe the time is right to lean into this acceleration in a different way.
With Windows 10X, we designed for flexibility, and that flexibility has enabled us to pivot our focus toward single-screen Windows 10X devices that leverage the power of the cloud to help our customers work, learn and play in new ways. These single-screen devices will be the first expression of Windows 10X that we deliver to our customers, and we will continue to look for the right moment, in conjunction with our OEM partners, to bring dual-screen devices to market.
 
Invitation to Build
At Build later this month, the team will share the next steps we are taking to empower the Windows developer community even further. We are going to share how we will reduce complexity for developers by making it easier than ever to build for all 1 billion Windows 10 devices, all at once. We will share how we will enable developers to build applications that seamlessly enable cloud-powered virtualization. Most importantly, even though we will not be in the same room this year, we are going to connect as a Windows community to look to the future together.
We invite you to join us there from May 19-21 for this 48-hour digital experience. Registration is now open, at no cost, to learn new skills, solve problems and build together.
We have an incredible opportunity and responsibility in front of us to build more seamless experiences across software and hardware for our customers around the world. I am pumped for what the team has in store. So much more is coming; this is just the beginning.
Panos
* Coming in a future servicing update to the Windows 10 May 2020 Update in early summer
** Additional peripheral devices required
Editor’s note – May 4, 2020 – The post above was updated to clarify that the improved tablet experience is expected to come in a future servicing update in early summer.

Now available: Samsung Galaxy Book Flex and Samsung Galaxy Book Ion | Windows Experience Blog

Announced last fall, two new Samsung Windows 10 PCs are now available: the Galaxy Book Flex and the Galaxy Book Ion.

Samsung Galaxy Book Flex 15″

The Samsung Galaxy Book Flex is a 2-in-1 PC with a QLED display packed with all the sharpness, detail and colors you’re used to on your TV, combined with an ultra-slim, convertible design that seamlessly converts from laptop to tablet. It comes in 13-and-15-inch versions.
But it’s got a lot going on under that attractive exterior. A 10th Gen Intel Core i7 processor delivers split-second responsiveness for easy multitasking. The Wireless PowerShare turns your trackpad into a charging pad, and with its multi-workday battery life, you can keep working and creating uninterrupted.

Wireless charging

Another bonus: the ability to control presentations and other content from across the room using the included Bluetooth-enabled S Pen.
Like the Flex, the Samsung Galaxy Book Ion comes with a QLED display, wireless charging pad, 10th Gen Intel Core i7 processor and S-Pen, as well as a long-lasting battery. With the Ion, when you tilt the screen back the spine elevates the keypad ever so slightly, creating a more comfortable angle.
If you have a Samsung phone, you can connect it to these PCs using Microsoft’s Your Phone. Then you can get to your recent photos, text messages, notifications and mobile apps on your PC, without the need to switch between devices.

You can also sign into both models using a fingerprint or a PIN, thanks to Windows Hello – so no need to enter a password.
These devices will be available at Best Buy and Microsoft Store, among other national retailers.

HP reveals redesigned and highly customizable OMEN gaming desktops | Windows Experience Blog

As people stay at home due to lockdowns across the country, they’re turning to games more than ever to relieve stress and connect with others. Now they’ve got more hardware options to choose from with HP’s latest additions to their gaming suite: the OMEN 25L and 30L Desktops.
On both models, gamers will find visuals powered by up to NVIDIA’s GeForce RTX 2080 Ti or up to AMD’s Radeon RX 5700 XT graphics cards. Harness the computing power a game needs with up to the latest 10th Gen Intel Core i9-10900K or up to the latest 3rd Gen AMD Ryzen 9 3900 desktop processors.
To keep the CPU running cool, HP has worked with Cooler Master to offer both 92mm air and 120mm liquid cooler options. In addition to this alliance on the thermals side, HP has extended the relationship to include the power supplies as well, scaling up to a 750W 80 PLUS Platinum PSU from Cooler Master. Gamers can outfit the interior with up to 64GB of HyperX FURY DDR4-3200Mhz XMP memory with optional RBG lighting. They will also enjoy lightning quick boot times and game launches with ample storage space when pairing with up to two 2TB WD_Black M.2 PCIe NVMe SSD’s configured in RAID0.

Customers can choose either the 25-liter (25L) or 30-liter (30L) model, both built with refined thermals and a tool-less design for internal access. The 30L model comes with a tempered glass front bezel and an enhanced thermal compartment that houses a Cooler Master 120mm RGB system fan to bring in additional cold air into the system.
For those who wish to customize their setups, they can do so via the OMEN Command Center app, which enables lighting control for up to six zones including: the front logo, front fan, interior lighting, CPU cooler, memory, and graphics card. Users can also use the app to monitor individual component performance, allocate network traffic, and control fan speeds.
Both the OMEN 25L and 30L Desktops are expected to be available in retail stores and online starting in May. The 25L model will have a starting price of $899.99*, while the 30L model will start at $1199.99* on HP.com.

And for gamers looking to pair a display with one of these desktops, they can check out the new OMEN 27i Gaming Monitor. It is OMEN’s first combination of an IPS Panel at QHD resolution with a refresh rate up to 165Hz. Games will jump to life with a Quad HD (2560×1440) resolution and 350 nits brightness. And, thanks to NVIDIA G-SYNC compatibility, gamers will experience fluid gameplay that reduces display stutter, input lag and screen tearing.
The OMEN 27i Gaming Monitor is expected to be available in retail and online starting May at a starting price of $499.99* on HP.com.
Find out more about the OMEN ecosystem of gaming PCs, displays and accessories.
*Pricing from HP.com, subject to change without notice. Retailers pricing may vary.

For Sale – Gigabyte Aero 15X – i7 8750h – GTX 1070 – 1tb NVMe M.2 SSD – 32GB DDR4

Europe’s busiest forums, with independent news and expert reviews, for TVs, Home Cinema, Hi-Fi, Movies, Gaming, Tech and more.

AVForums.com is owned and operated by M2N Limited,
company number 03997482, registered in England and Wales.

Powered by Xenforo, Hosted by Nimbus Hosting, Original design Critical Media Ltd.
This website uses the TMDb API but is not endorsed or certified by TMDb.

Copyright © 2000-2020 E. & O.E.

Go to Original Article
Author:

Wanted – Microsoft Surface Pro 1,2,3,4…

Hi

I have a Surface 3, barely used, been sat in cupboards for most of it’s life , occasional usage when I went to the states.

Comes with original box, keyboard black , the clicky pen , no damage to the unit at all.

Not sure what it’s worth , I paid a gazillion bucks for it at the time but I suspect it’s obviously worth a fraction of that now.

Not sure if there’s a “how many hours” as it been used function but would be interesting to know, my gut is it’s virtually new in real terms.

Thanks

Go to Original Article
Author:

Customer service agents, chatbots dial up empathy in pandemic

Contact centers are finding that customer service agents working from home and the chatbots that assist them need to keep up with rapidly evolving customer needs in order to maintain quality of service.

Pandemic customer service means discussing financial hardship with customers 2.5 times more frequently, according to data collected by AI customer service cloud vendor Tethr, spanning more than a million calls across many verticals for two weeks in March. These and other conversations companies scored as “difficult” have doubled during the pandemic, and account for 10% to 20% of call volume, depending on industry.

These calls stress human customer service agents and take longer to resolve. Relaxing stringent payment policies for companies such as utilities, or easing cancellation and rebooking fees for travel companies can reduce agent stress and the time they take to solve customer issues, said Matt Dixon, Tethr chief product and research officer.

If those avenues aren’t available to agents, he added, retraining them to frame answers more sympathetically can make both customer and agent feel like they’re making the best out of a bad situation. One example would be to say “Let’s see how I can help you,” rather than giving customers bad news outright.

“The issues themselves aren’t unique [to pandemic customer service],” Dixon said. “There’s just a big increase in them, and there’s a lot of friction created where the policies themselves haven’t been adapted to reflect the current environment.”

Accenture COVID-19 international consumer pulse poll data
The shifting circumstances of consumers greatly affect customer service during pandemic times.

Examining call data first priority

Figuring out what’s changing in pandemic customer support begins with collecting contact data. AI-powered speech analytics technology for call centers can help customer service agents analyze trends across multiple channels such as voice, chat and even interactive voice response (IVR) automated answering systems, said Nancy Jamison, an analyst at Frost & Sullivan.

“If you’re using speech analytics, you’re going to start seeing things pop up,” Jamison said. “You’re going to get your word clouds, it’s going to show you what people are talking about, and you can do trend analysis.”

During the pandemic, customer service automation can help agents and chatbots adapt to changing customer needs and maintain quality of service by keeping hold times down and more quickly answering customer questions, Jamison said.

None of this is rocket science. We have different tools to enable us to know how to change.
Nancy JamisonAnalyst, Frost & Sullivan

Companies that have equipped agents with unified desktops and assistive technologies that analyze speech in real time and suggest content, alter call routing and update scripts to help solve customer issues will be several steps ahead of those that haven’t. Those using AI in chatbots and agent-assist tools can adapt fastest.

Consider the touchy example of debt collection: Using speech analytics and sentiment analysis, a contact center might see that more people are reporting financial difficulties due to job or health disruptions since COVID-19 began to spread. Changing to a sympathetic tone and offering help through extended payment plans or other forms of relief changes the tone of the calls.

“It takes the burden off the agent,” Jamison said. “None of this is rocket science. We have different tools to enable us to know how to change.”

Keeping chatbots on point

Accenture clients fall into three categories when it comes to deploying and adjusting messages to meet the needs of customers affected by COVID-19, said Dawn Anderson, a senior managing director at the professional services company that is based in Dublin. The most proactive are in sectors such as banking and travel, whose call centers are swamped with calls since the pandemic and must quickly determine how to best handle it.

“Suddenly, they got this onslaught — some was normal volume, some of it to deal with COVID-19,” Anderson said. “They were empathetic before, but in that situation they have had to become even more empathetic in terms of how they’re handling those interactions.”

A second category, she said, includes companies getting more business — and therefore, more customer support tickets in general — as the world has shifted to remote work en masse, such as in the telecommunications sector. Those companies don’t necessarily need to layer extra empathy on to their messages, but instead need to automate and streamline as many workflows as possible to provide the most efficient pandemic customer service.

A third group, the public sector and healthcare, are just getting started with virtual assistants as they realize they need automation to best deliver their services while needs increase among patients and constituents, yet with social distancing and safety in mind. Those groups require empathy mixed with straightforward, unvarnished information in their messaging.

Adapting AI to pandemic times is complicated by changing business models, too, Anderson said. Accenture clients are working to add more human-sounding language to their virtual assistants, which can sometimes take away from the efficiency of the conversation.

Speed of deployment of virtual assistants is of the essence, said Athina Kanioura, Accenture chief analytics officer. The services firm advises companies that need to set up new virtual assistants to keep it simple as possible and build in features later.

“Clients want to set up something extremely fast,” Kanioura said. Numerous Accenture clients have set up customer service chatbots that can answer frequently asked questions, and plan to add analytics, AI frameworks and other data tools when customer contact volumes subside and the world returns to business as usual. “We probably haven’t slept for three months because of the demand in this space.”

Go to Original Article
Author:

For Sale – PC Specialist Ultranote Laptop 14″ 1080p, i7 8550u, 8gb, 500gb

Great laptop. Perfect for working from home. It’s nice and light too so easy to take out and about with you – once we’re out of lockdown!

Here’s the spec:

i7 8550u processor
8gb ram (upgradable)
500gb HDD (upgradable)
14″ 1080p screen

snappy little laptop

Good condition, there are some scratches to the top of the lid which I’ve tried to show in the photos and a couple of super minor marks on the edges. No impact on use and price is reduced to reflect them. Screen is lovely, no marks, and the keyboard is super nice to type on. Really like it.

Reason for sale, person I got this for has decided they prefer a desktop.

I’d like £300 for it

Go to Original Article
Author:

Oracle’s GraalVM finds its place in Java app ecosystem

One year after its initial release for production use, Oracle’s GraalVM universal virtual machine has found validation in the market, evidenced by industry-driven integrations with cloud-native development projects such as Quarkus, Micronaut, Helidon and Spring Boot.

GraalVM supports applications written in Java, JavaScript and other programming languages and execution modes. But it means different things to different people, said Bradley Shimmin, an analyst with Omdia in Longmeadow, Mass.

First, it’s a runtime that can support a wide array of non-Java languages such as JavaScript, Ruby, Python, R, WebAssembly and C/C++, he said. And it can do the same for Java Virtual Machine (JVM) languages as well, namely Java, Scala and Kotlin.

Secondly, GraalVM is a native code generator capable of doing things like ahead-of-time compiling — the act of compiling a higher-level programming language such as C or C++ into a native machine code so that the resulting binary file can execute natively.

“GraalVM is really quite a flexible ecosystem of capabilities,” Shimmin said. “For example, it can run on its own or be embedded as a part of the OpenJDK. In short, it allows Java developers to tackle some specific problems such as the need for fast app startup times, and it allows non-Java developers to enjoy some of the benefits of a JVM such as portability.”

GraalVM came out of Oracle Labs, which used to be Sun Labs. “Basically, it is the answer to the question, ‘What would it look like if we could write the Java native compiler in Java itself?'” said Cameron Purdy, former senior vice president of development at Oracle and current CEO of Xqiz.it, a stealth startup in Lexington, Mass., that is working to deliver a platform for building cloud-native applications.

“The hypothesis behind the Graal implementation is that a compiler built in Java would be more easily maintained over time, and eventually would be compiling itself or ‘bootstrapped’ in compiler parlance,” Purdy added.

The GraalVM project’s overall mission was to build a universal virtual machine that can run any programming language.

The big idea was that a compiler didn’t have to have built-in knowledge of the semantics of any of the supported languages. The common belief of VM architects had been that a language VM needed to understand those semantics in order to achieve optimal performance.

“GraalVM has disproved this notion by demonstrating that a multilingual VM with competitive performance is possible and that the best way to do it isn’t through a language-specific bytecode like Java or Microsoft CLR [Common Language Runtime],” said Eric Sedlar, vice president and technical director of Oracle Labs.

To achieve this, the team developed a new high-performance optimizing compiler and a language implementation framework that makes it possible to add new languages to the platform quickly, Sedlar said. The GraalVM compiler provides significant performance improvements for Java applications without any code changes, according to Sedlar. Embeddability is another goal. For example, GraalVM can be plugged into system components such as a database.

GraalVM joins broader ecosystem

One of the higher-profile integrations for GraalVM is with Red Hat’s Quarkus, a web application framework with related extensions for Java applications. In essence, Quarkus tailors applications for Oracle’s GraalVM and HotSpot compiler, which means that applications written in it can benefit from using GraalVM native image technology to achieve near instantaneous startup and significantly lower memory consumption compared to what one can expect from a typical Java application at runtime.

“GraalVM is interesting to me as it potentially speeds up Java execution and reduces the footprint – both of which are useful for modern Java applications running on the cloud or at the edge,” said Jeffrey Hammond, an analyst at Forrester Research. “In particular, I’m watching the combination of Graal and Quarkus as together they look really fast and really small — just the kind of thing needed for microservices on Java running in a FaaS environment.”

In particular, I’m watching the combination of Graal and Quarkus as together they look really fast and really small — just the kind of thing needed for microservices on Java running in a FaaS environment.
Jeffrey HammondAnalyst, Forrester

Jeffrey HammondJeffrey Hammond

Quarkus uses the open source, upstream GraalVM project and not the commercial products — Oracle GraalVM or Oracle GraalVM Enterprise Edition.

“Quarkus applications can either be run efficiently in JVM mode or compiled and optimized further to run in Native mode, ensuring developers have the best runtime environment for their particular application,” said Rich Sharples, senior director of product management at Red Hat.

Red Hat officials believe Quarkus will be an important technology for two of its most important constituents — developers who are choosing Kubernetes and OpenShift as their strategic application development and production platform and enterprise developers with deep roots in Java.

“That intersection is pretty huge and growing and represents a key target market for Red Hat and IBM,” Sharples said. “It represents organizations across all industries who are building out the next generation of business-critical applications that will provide those organizations with a competitive advantage.”

Go to Original Article
Author:

Find and lock down lax Windows share permissions

Keeping your data secure and away from unauthorized users is a complex task, which can be even more difficult if a default setting in Windows gets in your way.

Trying to secure Windows share permissions is a big challenge due to a setting called bypass traverse checking that the OS enables by default. This setting gives access to folders even if the user does not have access rights to any of its parents.

We can remove this authorization with group policy object setting, but it’s there for a reason. Without this setting enabled, you will see a big drop in performance since Windows will check every parent folder to see if the user is allowed to go to the target.

This article will explain how to create a report on Windows share permissions to determine which users have excessive authorizations and how to mend it using PowerShell and Sysinternals.

Gathering file shares and their authorized users

First, we need to find the file shares on the servers and client systems. We could do this either by using the Get-SmbShare command or by calling the win32_share namespace using either Get-CimInstance or Get-WmiObject.

For this example, Get-WmiObject is the preferred way to fetch our shares because it’s a more streamlined approach. Launch the PowerShell Terminal as an admin on a file server and enter the following command:

Get-WMIObject -Class win32_share

Name Path Description
---- ---- -----------
MyShare C:demoshare Demo share
ADMIN$ C:WINDOWS Remote Admin
C C:
C$ C: Default share
D$ D: Default share
E$ E: Default share
IPC$ Remote IPC
print$ C:WINDOWSsystem32spooldrivers Printer Drivers
scripts C:scripts

The PowerShell command outputs all the shares, but it doesn’t show the users with access to them. That’s because the Windows share permissions reside in another namespace called Win32_LogicalShareSecuritySetting:

Get-WmiObject -Class Win32_LogicalShareSecuritySetting

This resulting output doesn’t tell us much either. We need a more comprehensive PowerShell script to generate something more useful:

# Get all shares on the computer
$Shares = Get-WMIObject -Class win32_share

# Variable to processed shares to.
$NetworkShares = [System.Collections.Generic.List[PSCustomObject]]::new()

# Ignore default shares by filtering out '2147483648'
foreach ($Share in $Shares | ? {$_.Type -ne '2147483648' -and $_.Name -ne 'print$'}) {

# Create an object that we'll return
$ShareObject = [PSCustomObject]@{
Name = $Share.Name
Description = $Share.Description
LocalPath = $Share.Path
ACL = [System.Collections.ArrayList]::new()

}
# Get the security settings for the share
$ShareSecurity = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$($Share.Name)'"

# If security settings exists, build a list with ACLs
if($Null -ne $ShareSecurity){
Try{
$SecurityDescriptor = $ShareSecurity.GetSecurityDescriptor().Descriptor

foreach($AccessControl in $SecurityDescriptor.DACL){

$UserName = $AccessControl.Trustee.Name
$Trustee = $AccessControl.Trustee

If ($Trustee.Domain -ne $Null) {
$UserName = "$($Trustee.Domain)$UserName"
}

If ($Trustee.Name -eq $Null) {
$UserName = $Trustee.SIDString
}

$ShareObject.ACL.Add(
[System.Security.AccessControl.FileSystemAccessRule]::new(
$UserName,
$AccessControl.AccessMask,
$AccessControl.AceType
)
) | Out-Null
}

# Return the share object with the ACLs
$NetworkShares.Add($ShareObject)
}
Catch{
Write-Error $Error[0]
}
}
Else {
Write-Information "No permissions found for $($Share.Name) on $ComputerName"
}
}

The content of the $NetworkShares variable should end up looking similar to the following:

PS51> $NetworkShares

Name Description LocalPath ACL
---- ----------- --------- ---
DemoShare Demo share C:demoshare {System.Security.AccessControl.FileSystemAccessRule}
scripts C:scripts {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule}

PS51> $NetworkShares[0].ACL

FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : Everyone
IsInherited : False
InheritanceFlags : None
PropagationFlags : None

We’ve successfully gathered data about our Windows share permissions, showing who has access to what. That might not be enough because administrators usually assign network share permissions on the NTFS level, not the network share level.

We also need to check the files and folders in the share if there are excessive permissions for other groups, such as Everyone or Domain Users.

Scanning file permissions using AccessChk

We have a list of our file shares. Next, we need to get all the file permissions. The fastest way to do this is by using the AccessChk file utility from the Sysinternals suite and parse the output with PowerShell.

Put AccessChk on your file server and copy the AccessChk64.exe file to your system32 folder. You can either download the utility from the link above or use the following PowerShell code to download it and copy it to your system32 folder:

Invoke-WebRequest -OutFile $env:TEMPAccessChk.zip -Uri https://download.sysinternals.com/files/AccessChk.zip 
Expand-Archive -Path $env:TEMPAccessChk.zip -DestinationPath $env:TEMP -Force
Copy-Item -Path $env:TEMPAccessChk64.exe C:WindowsSystem32AccessChk64.exe

We can use PowerShell to create a wrapper function around AccessChk for use in a script:

Function Invoke-AccessChk {
param(
$Path,
$Principals,
$AccessChkPath = "$env:windirsystem32accesschk64.exe",
[switch]$DirectoriesOnly,
[switch]$AcceptEula

)

# Accept EULA
if($AcceptEula){
& $AccessChkPath /accepteula | Out-Null
}

$Argument = "uqs"
if($DirectoriesOnly){
$Argument = "udqs"
}

$Output = & $AccessChkPath -nobanner -$Argument $Path

Foreach($Row in $Output){

# If it's a row with a file path output the previous object and create a new one
if($Row -match "^S"){
If($Null -ne $Object){
if($Object.Access.Keys.Count -gt 0){
$Object
}
}
$Object = [PSCustomObject]@{
Path = $Row
Access = @{}
}
}

# If it's a row with permissions
if($Row -match "^ [R ][W ]"){
If($Row -match ($Principals -replace "\",'\' -join "|")){

$Row -match "^ (?<Read>[R ])(?<Write>[W ]) (?<Principal>.*)" | Out-Null

$Object.Access[$Matches.Principal] = @{
Read = $Matches.Read -eq 'R'
Write = $Matches.Read -eq 'W'
}

}
}
}
# If it's the last row - output the object once more
if($Object.Access.Keys.Count -gt 0){
$Object
}
}

We can now run Invoke-AccessChk with the network shares stored in the $NetworkShares variable from the previous step. We add to a list of the security principals — without “domain” — to find:

# Invoke-AccessChk will only output files/folders where the following principals have permission:
$RiskPrincipals = @(
'Everyone',
'Domain Users',
'Domain Computers',
'Authenticated Users',
'Users'
)

$RiskyPermissions = Foreach($NetworkShare in $NetworkShares | Select -First 1){

# Only scan directory if it's shared to one of the principals in $RiskPrincipals
$RiskPrincipalExist = $Null -ne ($NetworkShare.ACL.IdentityReference.Value -replace ".*\" | ? {$_ -in $RiskPrincipals})

if($RiskPrincipalExist){
Invoke-AccessChk -Path $NetworkShare.LocalPath -Principals $RiskPrincipals
}

}

The $RiskyPermissions variable will give output similar to this:

PS51> $RiskyPermissions

Path Access
---- ------
C:demoshareFile1.txt {BUILTINUsers, NT AUTHORITYAuthenticated Users}
C:demoshareFolder1picture.png {NT AUTHORITYAuthenticated Users}
C:demoshareFolder1Folder2 {NT AUTHORITYAuthenticated Users}

PS51> $RiskyPermissions[0].Access

Creating a report from several computers and servers

Thus far, you can get a list of all the file shares and check all the files with the PowerShell wrapper for Invoke-AccessChk. One of PowerShell’s many strengths is its ability to scale. PowerShell remoting will take the code we’ve produced to the next level to gather the information from several computers at once.

First, we need a list of computers and servers to scan. If possible, the easiest way is through the Active Directory module from RSAT:

$Computers = (Get-ADComputer -Filter *).dnsHostName

This method might not be an option in larger environments that are heavily segmented. Another approach is to get data from your configuration management database or entering it manually using the following example:

$Computers = @(
'Server1',
'Server2',
'Server3',
'Server4',
'Server5',
'PC1'
# etc
)

Now it’s time to tie all these components in a script that uses PowerShell background jobs to do the following actions on the machines specified in the $Computers parameter:

  • Get all shares that are shared out to one of the principals in $RiskPrincipals.
  • Download AccessChk if it does not already exist.
  • Check the NTFS permission of all shares gathered by AccessChk.
  • Return an object with a list with all files where the security principals in $RiskPrincipals have either read or write permissions.

The computer running the script will then collect the results of all jobs and output it to a CSV file with the name ShareAccessReport.

Remember to run the following as an admin on a computer that has network access to said machines and to accept the EULA for AccessChk by changing $AcceptEula to true:

$Computers = @(
'Server-1',
'Server-2',
'PC-1'
)

# Accept EULA for AccessChk
# CHANGE TO TRUE
$AcceptEula = $false

if(!$AcceptEula){
Write-Warning "Did not accept EULA for AccessChk, can't continue"
break
}

# Principals that we want to scan for
$RiskPrincipals = @(
'Everyone',
'Domain Users',
'Domain Computers',
'Authenticated Users',
'Users'
)

# List of shares that we want to ignore.
# Setting a share name tied to it just in case since it should almost always be that path
$IgnoreShares = @(
'print$'
)

# Scriptblock that we'll send with Invoke-Command
$Scriptblock = {

$RiskPrincipals = $args[0].RiskPrincipals
$IgnoreShares = $args[1].IgnoreShares
$AcceptEula = $args[2].AcceptEula

# Functions to download and use AccessChk
# It utilizes a shell object instead of Expand-Archive for backward compatability
Function Download-AccessChk {
param(
$Url = "https://download.sysinternals.com/files/AccessChk.zip",
$Dest = $env:temp
)
if(Test-Path "$destaccesschk.zip"){
rm $DestAccessCHK.zip -Force
}
(New-Object System.Net.WebClient).DownloadFile($url, "$env:tempAccessChk.zip")
$Shell = New-Object -ComObject Shell.Application
$Zip = $shell.NameSpace("$env:tempAccessChk.zip")
$Destination = $shell.NameSpace("$env:windirsystem32")

$copyFlags = 0x00
$copyFlags += 0x04
$copyFlags += 0x10

$Destination.CopyHere($Zip.Items(), $copyFlags)
}

# The function that utilizes accesschk from part 2
Function Invoke-AccessChk {
param(
$Path,
$Principals,
$AccessChkPath = "$env:windirsystem32accesschk64.exe",
[switch]$DirectoriesOnly,
[switch]$AcceptEula

)

if(!(Test-Path "$env:windirsystem32accesschk64.exe")){
Download-AccessChk
}

# Accept EULA
if($AcceptEula){
& $AccessChkPath /accepteula | Out-Null
}

$Argument = "uqs"
if($DirectoriesOnly){
$Argument = "udqs"
}

$Output = & $AccessChkPath -nobanner -$Argument $Path

Foreach($Row in $Output){

# If it's a row with a file path output the previous object and create a new one
if($Row -match "^S"){
If($Null -ne $Object){
if($Object.Access.Keys.Count -gt 0){
$Object
}
}
$Object = [PSCustomObject]@{
Path = $Row
Access = @{}
}
}

# If it's a row with permissions
if($Row -match "^ [R ][W ]"){
If($Row -match ($Principals -replace "\",'\' -join "|")){

$Row -match "^ (?<Read>[R ])(?<Write>[W ]) (?<Principal>.*)" | Out-Null

$Object.Access[$Matches.Principal] = @{
Read = $Matches.Read -eq 'R'
Write = $Matches.Read -eq 'W'
}

}
}
}
# If it's the last row - output the object once more
if($Object.Access.Keys.Count -gt 0){
$Object
}
}

# Get all the shares by using WMI
$Shares = Get-WmiObject -Class win32_share

# Create an object that we will later return when we're done
$ReturnObject = [PSCustomObject]@{
ComputerName = $ComputerName
NetworkShares = [System.Collections.Generic.List[PSCustomObject]]::new()
AccessibleObjects = @{}
}

# Ignore default shares by filtering out '2147483648'
# Ignore shares in $IgnoreShares
foreach ($Share in $Shares | ? {$_.Type -ne '2147483648'} | ? {$_.Name -notin $IgnoreShares}) {
$ShareObject = [PSCustomObject]@{
Name = $Share.Name
Description = $Share.Description
LocalPath = $Share.Path
ACL = [System.Collections.ArrayList]::new()

}

$ShareSecurity = Get-WMIObject -Class Win32_LogicalShareSecuritySetting -Filter "name='$($Share.Name)'"
if($Null -ne $ShareSecurity){
Try{
$SecurityDescriptor = $ShareSecurity.GetSecurityDescriptor().Descriptor

foreach($AccessControl in $SecurityDescriptor.DACL){

$UserName = $AccessControl.Trustee.Name
$Trustee = $AccessControl.Trustee

If ($Trustee.Domain -ne $Null) {
$UserName = "$($Trustee.Domain)$UserName"
}

If ($Trustee.Name -eq $Null) {
$UserName = $Trustee.SIDString
}

$ShareObject.ACL.Add(
[System.Security.AccessControl.FileSystemAccessRule]::new(
$UserName,
$AccessControl.AccessMask,
$AccessControl.AceType
)
) | Out-Null
}

# Only add network share if it contains a risk user/group

$Match = $False
Foreach($IdentityReference in $ShareObject.ACL.IdentityReference.Value){
Foreach($Pattern in $RiskPrincipals){
if($IdentityReference -Match $Pattern){
$Match = $True
}
}
}
if($Match){
$ReturnObject.NetworkShares.Add($ShareObject)
}
Else {
Write-Verbose "No match for risky groups, not adding"
}

}
Catch{
Write-Error $Error[0]
}
}
Else {
Write-Information "No permissions found for $($Share.Name) on $ComputerName"
}

}
# Get all files from NetworkShares where a principal from $RiskPrincipals have either read or write access
$ReturnObject.NetworkShares | Foreach {
$ReturnObject.AccessibleObjects[$_.Name] = Invoke-AccessChk -Path $_.LocalPath -Principals $RiskPrincipals -AcceptEula:$AcceptEula
}

# Done! Lets return the returnobject:
$ReturnObject
}

# To add to the argument list of Invoke-Job because the remote PowerShell job doesn't have access to our variable space.
$InvokeParam = @{
RiskPrincipals = $RiskPrincipals
IgnoreShares = $IgnoreShares
AcceptEula = $AcceptEULA
}

# Start jobs
$Job = Invoke-Command -AsJob -ComputerName $Computers -ArgumentList $InvokeParam -ScriptBlock $Scriptblock

# Wait for jobs to finish
$Job | Wait-Job

# Collect data from all jobs
$Output = Get-Job | Receive-Job

# Output the output into a CSV
$ToCSV = Foreach($Result in $Output){

Foreach($Key in $Result.AccessibleObjects.Keys) {

# For using Select-Object expressions to get the data out of $Result.AccessibleObjects
# The downside of working a lot with hashtables
$ReadAccess = @{
Name='ReadAccess'
Expression={
$Base = $_.Access
($Base.Keys | ? {$Base[$_].Read}) -join ","
}
}

$WriteAccess = @{
Name='WriteAccess'
Expression={
$Base = $_.Access
($Base.Keys | ? {$Base[$_].Write}) -join ","
}
}

# Select from AccessibleObjects and create property for the principals with ReadAccess and WriteAccess
$Result.AccessibleObjects[$Key] | Select @{Name='ShareName';Expression={$Key}},Path,$ReadAccess,$WriteAccess
}
}
# Export the CSV
$ToCSV | Export-Csv -Path .ShareAccessReport.csv

When the PowerShell job finishes, it will create a full report of the access of the principals in the $RiskyPrincipals variable.

Fixing Windows share permissions

After you review the CSV and find the permissions that need adjusting, there are two ways to correct them. If there are only a few, then the best way is through the GUI. But if there are thousands, then the following command will use the CSV output to speed this along:

# This needs to run locally on the server with the file share.

$UserToRemove = 'Guest'
$CSV = Import-Csv -Path .ShareAccessReport.csv | ? {}
$CSV | ? {$_.ComputerName -eq $env:COMPUTERNAME} | Foreach {
$ACL = Get-Acl -Path $_.Path
$ACL.Access | ? {($_.IdentityReference.Value -replace '.*\') -eq $UserToRemove} | Foreach {
$ACL.Access.Remove($_)
}
}

This PowerShell script will remove all permissions for the Guest security principal.

The first report will usually bring a lot of work though because it will discover a lot of oddities and risks when it comes to your Windows share permissions. But running a solution like this regularly, especially targeted toward shares with sensitive information, will pay off in the end.

Go to Original Article
Author: