Windows Attributes
License: PRO+ (Professional Edition or higher)
Plugin Type: Post-Index Plugin
Author: Diskover Data, Inc.
Overview
The Windows Attributes post-index plugin extracts Windows Discretionary Access Control Lists (DACLs) from files and directories and updates the windacls field in an existing Diskover Elasticsearch index. This plugin runs after indexing is complete, making it ideal for enriching existing indices with Windows permission data.
This plugin enables organizations to:
Add Windows DACL permission data to indices created on non-Windows systems
Target specific files or directories for DACL collection using Elasticsearch queries
Perform security audits and compliance verification on previously indexed data
Support distributed architectures where indexing happens on Linux while Windows security collection happens on a Windows worker
Use Cases
Post-Hoc Security Enrichment
Add DACL information to indices that were created without Windows security data. This is particularly useful when you have existing Diskover indices created by a Linux crawler scanning CIFS/SMB shares that contain file metadata but lack Windows permission information.
Selective DACL Collection
Target specific files or directories for DACL extraction using Elasticsearch queries. For example, you might only need DACL information for sensitive directories like Finance, HR, or Legal—not the entire index. This reduces processing time and focuses security auditing on high-value data.
Distributed Architecture
Separate indexing (on Linux) from Windows security collection (on a Windows worker). This allows you to leverage fast Linux-based crawling while still capturing Windows-specific permission data through a dedicated Windows machine with access to the same file shares.
Security Auditing
Find permission issues such as overly permissive ACLs, orphaned SIDs from deleted accounts, and explicit DENY entries. The plugin enables you to search for files accessible by "Everyone," identify files with Full Control granted to broad groups, and detect other security concerns.
Compliance Verification
Document access controls for regulatory compliance requirements including SOX, HIPAA, PCI-DSS, GDPR, and GxP frameworks. The indexed DACL data allows you to create saved searches, generate reports, and export evidence for auditors.
Sample data from a Windows Attributes execution:
Here we can see the entire list of ACLs returned from the Windows Attributes plugin! Additionally your Windows File Owner / Group are harvested as part of this plugin.
Understanding Windows Security
Unlike Unix systems with their simple owner/group/other permission model, Windows uses Access Control Lists (ACLs) that provide fine-grained security control with unlimited access control entries per file, 14+ distinct permission types, complex inheritance models, and explicit DENY support.
Key Concepts
Security Identifiers (SIDs) are unique identifiers that represent security principals (users, groups, computers) in Windows environments. When an account is deleted or belongs to an untrusted domain, the SID may appear in search results instead of the account name (e.g., S-1-5-21-1234567890-987654321-111222333-1001).
DACLs (Discretionary Access Control Lists) are ordered lists of Access Control Entries (ACEs) that determine who can access an object and what operations they can perform.
ACEs (Access Control Entries) specify a trustee (user/group), an ACE type (Allow, Deny, or Audit), an access mask (permissions), and inheritance flags.
Permission Levels
The plugin formats permissions using standard Windows notation:
Symbol | Name | Description |
|---|---|---|
F | Full Control | Complete control over the object |
M | Modify | Read, write, execute, delete (cannot change permissions) |
RX | Read & Execute | Read contents and run executables |
R | Read | View contents only |
W | Write | Modify contents only |
D | Delete | Delete the object |
N | No Access | No permissions |
When permissions don't match a standard level, granular rights are displayed (e.g., RD, WD, AD, X, DC).
Inheritance Flags
Inheritance flags control how permissions propagate from parent containers to child objects:
Flag | Name | Description |
|---|---|---|
(I) | Inherited | This ACE was inherited from a parent container |
(OI) | Object Inherit | ACE applies to files in this folder |
(CI) | Container Inherit | ACE applies to subfolders |
(IO) | Inherit Only | ACE does not apply to this object, only to children |
(NP) | No Propagate | Inheritance stops at first level of children |
ACE String Format
Each entry in the windacls field follows this format:
trustee:(flags)(rights)
For example: ACME\Domain Admins:(I)(OI)(CI)(F) means the Domain Admins group has inherited Full Control that applies to the folder, subfolders, and files.
Installation
Prerequisites
Component | Requirement |
|---|---|
Platform | Windows only |
Python | 3.9 or higher |
Diskover | Core installation with plugin support |
Elasticsearch | 7.x or 8.x (as supported by Diskover) |
License | Diskover Professional or higher |
Python Dependencies
The plugin requires the pywin32 Python library to interface with Windows file metadata.
Windows Installation:
python -m pip install pywin32 python -m pywin32_postinstall -install
Verify Installation
Confirm the plugin is installed correctly by checking the version:
Windows:
python "C:\Program Files\Diskover\plugins_postindex\diskover_winattrib\diskover_winattrib.py" --version
Long Path Support
If processing files with paths longer than 260 characters, enable Windows long path support:
Open Group Policy Editor (
gpedit.msc)Navigate to: Computer Configuration > Administrative Templates > System > Filesystem
Enable "Enable Win32 long paths"
Restart the computer
Alternatively, set via registry:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name "LongPathsEnabled" -Value 1
Configuration
Configuration is managed through the Diskover Admin Panel at Plugins > Post Index > Windows Attributes.
Sample Configuraiton in Diskover Admin:
Here is the beginning of our sample configuration There are many other configuraitons for the Windows Attributes plugin - covered in detail below!
Configuration Parameters
Parameter | Type | Default | Description |
|---|---|---|---|
| int |
| Maximum number of threads for processing. Set to |
| string |
| Additional Elasticsearch query to filter which files/directories to process. This is AND'd with the base query. |
| bool |
| Enable path translation from index paths to Windows paths. |
| string |
| Source path prefix to replace (from index). |
| string |
| Destination path prefix (Windows path). |
| bool |
| Include domain prefix in trustee names (e.g., |
| bool |
| Store SID string if account name cannot be resolved. If |
Configuration Examples
Basic Configuration
Collect DACLs for all files with default settings:
{
"max_threads": 4,
"other_query": "",
"replace_paths": {
"enable": false,
"from_path": "",
"to_path": ""
},
"inc_domain": true,
"use_sid": true
}
Cross-Platform Path Translation
For indices created on Linux scanning CIFS shares, configure path translation so the Windows worker can locate files:
{
"max_threads": 8,
"other_query": "",
"replace_paths": {
"enable": true,
"from_path": "/mnt/nas/data",
"to_path": "\\\
as-server\\data"
},
"inc_domain": true,
"use_sid": true
}
Selective DACL Collection
Target only specific directories to reduce processing time:
{
"max_threads": 4,
"other_query": "parent_path:*Finance* OR parent_path:*HR* OR parent_path:*Legal*",
"replace_paths": {
"enable": false,
"from_path": "",
"to_path": ""
},
"inc_domain": true,
"use_sid": true
}
Recent Files Only
Process only files modified in the last 30 days:
{
"max_threads": 4,
"other_query": "mtime:{now-30d TO now}",
"replace_paths": {
"enable": false,
"from_path": "",
"to_path": ""
},
"inc_domain": true,
"use_sid": true
}
High-Performance Configuration
For large indices with many files:
{
"max_threads": 16,
"other_query": "",
"replace_paths": {
"enable": false,
"from_path": "",
"to_path": ""
},
"inc_domain": false,
"use_sid": true
}
Setting inc_domain: false can improve performance by reducing string processing.
Execution
Manual Execution
Run the plugin from the command line to process a specific index.
Windows:
Field | Value |
|---|---|
Command |
|
Arguments |
|
Example:
python "C:\Program Files\Diskover\plugins_postindex\diskover_winattrib\diskover_winattrib.py" diskover-2025.01.15.index
Command-Line Options
Option | Description |
|---|---|
| Use a named configuration defined in Diskover Admin Panel |
| Auto-find most recent index based on top path |
| Enable verbose logging (shows per-file processing details) |
| Very verbose logging (debug level) |
| Print plugin version and exit |
| Show help message and exit |
Process latest index for a specific top path:
python "C:\Program Files\Diskover\plugins_postindex\diskover_winattrib\diskover_winattrib.py" -l /mnt/nas/data
Use a named configuration:
python "C:\Program Files\Diskover\plugins_postindex\diskover_winattrib\diskover_winattrib.py" -c finance_audit diskover-2025.01.15.index
Enable verbose logging:
python "C:\Program Files\Diskover\plugins_postindex\diskover_winattrib\diskover_winattrib.py" -v diskover-2025.01.15.index
Automated Execution via Custom Task
Schedule the plugin to run automatically using Diskover's Custom Task scheduler.
Sample Custom Task Configuration:
Here we can see the Run Command & args needed for the Custom Task - Note that in this case you cannot use the {indexname} variable as this is not a task that creates an index, so we must use the -l (toppath) CLI option and pass in our top path!
Windows Custom Task Configuration:
Field | Value |
|---|---|
Task Name | Windows Attributes |
Command |
|
Arguments |
|
Schedule | Configure based on your requirements |
Automated Execution via Post-Crawl Command
Configure the plugin to run automatically after an index task completes.
Sample Post-Crawl Command configuraiton for Windows Attributes executing with an Index Task:
In your system ensure to replace the ConfigurationName above with a named configuraiton that you’ve created at Diskover Admin → Plugins → Post-Index → Windows Attributes – If you are not using a custom configuration and you’re just using Default than the -c flag and the ConfigurationName is not required!
Windows Example:
Field | Value |
|---|---|
Post-Crawl Command |
|
Post-Crawl Command Args |
|
Available Index Task Tokens:
{indexname}— The name of the index that was just created
Important:
The Post-Crawl Command field should contain ONLY the executable (e.g.,
python)All script paths, flags, and arguments go in the Post-Crawl Command Args field
Never reference crontab or local cron/Task Scheduler configurations for automated execution
Expected Output
During execution, the plugin displays progress statistics:
2025-01-15 10:30:15,123 - INFO - Starting diskover windows attributes ... 2025-01-15 10:30:15,234 - INFO - Updating index mappings for windacls field in diskover-2025.01.15.index... 2025-01-15 10:30:15,456 - INFO - Done. 2025-01-15 10:30:15,567 - INFO - Started 4 windows attrib processing threads 2025-01-15 10:30:15,678 - INFO - Searching and queuing docs from index diskover-2025.01.15.index... 2025-01-15 10:30:18,789 - INFO - STATS (docs processed 1500 (15.0%), docs in queue 500, elapsed 0:00:03, perf 500.000 docs/s, memory usage 125 MB) ... 2025-01-15 10:33:15,456 - INFO - *** Elapsed time 0:03:00 *** 2025-01-15 10:33:15,567 - INFO - *** Total files/folders (ES docs): 10000 *** 2025-01-15 10:33:15,678 - INFO - *** Files/folders processed Win attrib OK: 9850 *** 2025-01-15 10:33:15,789 - INFO - *** Files/folders processed Win attrib ERROR: 150 ***
Reviewing the Output
Where to Find Results
After the plugin completes, the windacls field is populated in the Elasticsearch index. You can view this data in:
Diskover Web UI - Search results display the windacls field when present
Elasticsearch - Query the index directly to see raw windacls data
Diskover Reports - Create reports based on windacls search criteria
Understanding the Results
Each document's windacls field contains an array of ACE strings. For example:
{
"windacls": [
"ACME\\Domain Admins:(I)(OI)(CI)(F)",
"ACME\\Finance Team:(I)(OI)(CI)(M)",
"ACME\\jsmith:(OI)(CI)(F)",
"NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F)",
"BUILTIN\\Administrators:(I)(OI)(CI)(F)"
]
}
This shows that Domain Admins and SYSTEM have inherited Full Control, the Finance Team has inherited Modify access, and user jsmith has explicit Full Control on this file.
Identifying Successful Execution
A successful run will show:
"Files/folders processed Win attrib OK" count close to the total document count
Minimal "Files/folders processed Win attrib ERROR" count
No critical errors in the log output
Identifying Problems
Watch for these indicators of issues:
High error count in final statistics
"No such file or directory" warnings (path translation may be misconfigured)
"Access is denied" warnings (service account lacks permissions)
SIDs appearing instead of account names (deleted accounts or domain connectivity issues)
Searching in Diskover
The plugin creates/updates the windacls field which supports both exact matching and full-text search.
Basic DACL Searches
Find files with DACL data:
windacls:*
Find files without DACL data:
NOT windacls:*
Find files with a specific user in DACL:
windacls:*jsmith*
Find files with domain-prefixed user:
windacls:*ACME\\jsmith*
Security Audit Searches
Find files with explicit DENY entries:
windacls:*DENY*
Find files where Everyone has access:
windacls:*Everyone*
Find files where Everyone has Full Control:
windacls:*Everyone*(F)
Find files where Everyone has write permissions:
windacls:*Everyone*(W) OR windacls:*Everyone*(M) OR windacls:*Everyone*(F)
Find files with orphaned SIDs (deleted accounts):
windacls:*S-1-5-21-*
Find files where Guests have access:
windacls:*Guests*
Inheritance Analysis
Find files with inherited permissions:
windacls:*(I)*
Find files with explicit (non-inherited) permissions:
windacls:* AND NOT windacls:*(I)*
Permission Level Searches
Find files with Full Control granted:
windacls:*(F)
Find files with Modify permissions:
windacls:*(M)
Find files with Read-only access:
windacls:*(R)
Combined Searches
Find large files with Everyone access:
windacls:*Everyone* AND size:>=1073741824
Find executable files with broad permissions:
extension:(exe OR dll OR bat OR ps1) AND windacls:*Everyone*
Find files in Finance directory with DENY entries:
parent_path:*Finance* AND windacls:*DENY*
Find recently modified files with orphaned SIDs:
mtime:[now-7d TO now] AND windacls:*S-1-5-21-*
Find directories with overly permissive settings:
type:directory AND windacls:*Everyone*(F)
Full-Text DACL Searches
Use the analyzed text field for partial matching:
windacls.text:domain admin
Troubleshooting
pywin32 Not Installed
Symptom: Error "No module named 'win32security'" when plugin starts.
Resolution:
python -m pip install pywin32
python -m pywin32_postinstall -install
python -c "import win32security; print('Success')"
Access Denied Errors
Symptom: Log shows "Error getting dacl security info: <path> (Access is denied)"
Resolution:
Verify the service account running the plugin has Read permissions on the target files
Check if files are encrypted (EFS) or protected by Windows Resource Protection
Grant read access:
icacls "D:\path\to\directory" /grant "SERVICE_ACCOUNT:(OI)(CI)(R)" /T
SID Resolution Failures
Symptom: DACL entries show SIDs like S-1-5-21-xxx instead of account names.
Common Causes:
Account has been deleted from Active Directory
Account is from an untrusted domain
Domain controller is unreachable
Resolution:
With
use_sid: true(default), SIDs are stored for reference and remain searchableSearch for orphaned SIDs:
windacls:*S-1-5-21-*Document orphaned SIDs for security team review
Path Translation Issues
Symptom: Log shows "No such file or directory" for all files.
Resolution:
Verify
replace_pathsconfiguration is correctRemember backslashes must be escaped in JSON (
\\\\for\\)Test the path translation manually:
$indexPath = "/mnt/nas/data/Finance/report.xlsx" $windowsPath = $indexPath.Replace("/mnt/nas/data", "\\fileserver\share").Replace("/", "\") Test-Path $windowsPath
Long Path Problems
Symptom: Files with paths >260 characters fail with errors.
Resolution:
Enable long path support via Group Policy or registry (see Installation section)
Restart the computer after enabling
Performance Issues
Symptom: Plugin runs slowly or processes few documents per second.
Resolution:
Increase thread count in configuration (
max_threads: 16)Reduce scope with query filtering (
other_query)Disable domain prefix for faster processing (
inc_domain: false)Check network latency to file server
Support
Last Updated: April 2026
Comments
0 comments
Please sign in to leave a comment.