Security Basics mailing list archives
RE: Designing file server file/folder structure.
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Tue, 21 Oct 2008 10:36:04 -0500
Good morning, I received some great advice thank you for that. To the person letting me know he is willing to help if I pay him; thanks, but no thanks. There were some suggestion recommending various "software solutions". While there are a great many pieces of software out there I have yet to come across anything that improves on basic NTFS permissions. In my opinion, if you can't keep your permissions straight, a tool will likely not be the better long term choice. I am fairly confident the mess I am looking at is the result of people not understanding what they are dealing with. Of course, there are very valid exceptions. I just don't look at 3rd party software to begin with. The recommendations for ABE and Cacls.exe is appreciated and I don't view them as solutions but rather a tools. I was also (off-list) sent a spreadsheet layout of permissions. Noting it is a 95% mirror of what I have created for myself it is comforting to know others are doing the same thing. Thanks Grayling. Murda, I thought about your venn diagram but thinking 3 steps ahead made my head spin. When everyone has access to almost the same files it become one big blob! I ended up spreadsheeting access to folders down to groups and users. Took me a day but at least it has show and tell value when I go cry on my managers shoulder in desperation. The user part is what is tremendously difficult here. It is almost a universal law that nothing can be expected from the end users here. We have a very functional sneakernet because end users are never to experience anything unknown meaning late nights of double checking changes to workstations. Another off-list suggestion to create groups for each department and base access to folder on these. I cleaned up our AD environment about 2 years back by now. It was an equal mess created/maintained by the same people responsible for the files server "design". I ended up with something like the following for one domain hosting two physical locations. Domain |__Department1Grp |___ManagementGrp |________Site1Grp | |___EmployeeLvl1Grp | |___EmployeeLvl2Grp | |________Site2Grp |___EmployeeLvl1Grp |___EmployeeLvl2Grp This is simplified but a basic overview. An identical layout exists for all departments and group memberships are designed to allow for great functionality. Getting to the point we are now has significantly reduced helpdesk tickets related to oversights in user creation etc. I have groups dedicated to folder permissions as well. For example a group granting access to the Marketing Drive has group members like EmployeeLvl1Grp and I can therefore be fairly granular. In conclusion to this rather long blurp, I am thinking the following for simple folder security. A shared "Departments" drive with all departments listed. Each department subfolder is accessible by everyone. Subfolders of individual departments are managed individually with only the owning department as the default allowed group. Thank you to everyone. Nick - -----Original Message----- - From: listbounce () securityfocus com - [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej - Sent: Monday, October 06, 2008 3:35 PM - To: security-basics () securityfocus com - Subject: Designing file server file/folder structure. - - Hi, - - I have a request for ideas about how to design the folder structure on - a - Win2K3/NTFS share. - What we have inherited is a D:\ drive with a number of folders named - according to departments, each folder is then mapped to a drive letter - in a logon script. - Each department has access to their own drive in addition to a drive - everyone has access to. - - Now about 10 years have passed and just about everyone has access to - just about all shares because at some point an individual needed - access - to a file or two within a department drive where they don't initially - belong. Perhaps the file needed access to was too sensitive to be - placed - on the company share. - - So, after pushing for a long time I am finally making some headway in - acceptance of redoing the layout. - - Ideally we end up with department folders accessible only to - department - staff, but beyond this any layout I can think of doesn't scale well. - My though is to begin a folder structure where folders are named based - on who has access, like: - "DepartmentA - DepartmentB" - If permissions are set right you only get to see folders where you - have - files related to what you do. However, with 20 departments or so, what - happens when seven'ish departments needs access to a file. Folder - names - become quite long and I doubt this scales well should the company grow - significantly. - - The server holds roughly 1.2TB of miscellaneous flat file data. Word - docs, excel spreadsheets, PDF's etc. etc. Nothing fancy. And we are a - Windows shop. - - What works for others? - Do you at some point lean back and say I can't get permissions as - granular as I like without being a serious nuisance to the end users? - - I feel this is rather trivial but I can't seem to come up with a - solution that is somewhat future proof. - - Thank you - - Nick This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you.
Current thread:
- Designing file server file/folder structure. Nick Vaernhoej (Oct 06)
- RE: Designing file server file/folder structure. Murda Mcloud (Oct 07)
- Re: Designing file server file/folder structure. Kurt Buff (Oct 07)
- RE: Designing file server file/folder structure. Nick Vaernhoej (Oct 21)