Security Basics mailing list archives

RE: Designing file server file/folder structure.

From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Tue, 21 Oct 2008 10:36:04 -0500

Good morning,

I received some great advice thank you for that.
To the person letting me know he is willing to help if I pay him;
thanks, but no thanks.

There were some suggestion recommending various "software solutions".
While there are a great many pieces of software out there I have yet to
come across anything that improves on basic NTFS permissions.
In my opinion, if you can't keep your permissions straight, a tool will
likely not be the better long term choice. I am fairly confident the
mess I am looking at is the result of people not understanding what they
are dealing with. Of course, there are very valid exceptions. I just
don't look at 3rd party software to begin with. The recommendations for
ABE and Cacls.exe is appreciated and I don't view them as solutions but
rather a tools.

I was also (off-list) sent a spreadsheet layout of permissions. Noting
it is a 95% mirror of what I have created for myself it is comforting to
know others are doing the same thing. Thanks Grayling.

Murda, I thought about your venn diagram but thinking 3 steps ahead made
my head spin. When everyone has access to almost the same files it
become one big blob! I ended up spreadsheeting access to folders down to
groups and users. Took me a day but at least it has show and tell value
when I go cry on my managers shoulder in desperation.
The user part is what is tremendously difficult here. It is almost a
universal law that nothing can be expected from the end users here.
We have a very functional sneakernet because end users are never to
experience anything unknown meaning late nights of double checking
changes to workstations.

Another off-list suggestion to create groups for each department and
base access to folder on these.

I cleaned up our AD environment about 2 years back by now.
It was an equal mess created/maintained by the same people responsible
for the files server "design".
I ended up with something like the following for one domain hosting two
physical locations.

This is simplified but a basic overview. An identical layout exists for
all departments and group memberships are designed to allow for great
functionality. Getting to the point we are now has significantly reduced
helpdesk tickets related to oversights in user creation etc.
I have groups dedicated to folder permissions as well.
For example a group granting access to the Marketing Drive has group
members like EmployeeLvl1Grp and I can therefore be fairly granular.

In conclusion to this rather long blurp, I am thinking the following for
simple folder security.
A shared "Departments" drive with all departments listed. Each
department subfolder is accessible by everyone. Subfolders of individual
departments are managed individually with only the owning department as
the default allowed group.

Thank you to everyone.

Nick

- -----Original Message-----
- From: listbounce () securityfocus com
- [mailto:listbounce () securityfocus com] On Behalf Of Nick Vaernhoej
- Sent: Monday, October 06, 2008 3:35 PM
- To: security-basics () securityfocus com
- Subject: Designing file server file/folder structure.
-
- Hi,
-
- I have a request for ideas about how to design the folder structure
on
- a
- Win2K3/NTFS share.
- What we have inherited is a D:\ drive with a number of folders named
- according to departments, each folder is then mapped to a drive
letter
- in a logon script.
- Each department has access to their own drive in addition to a drive
- everyone has access to.
-
- Now about 10 years have passed and just about everyone has access to
- just about all shares because at some point an individual needed
- access
- to a file or two within a department drive where they don't initially
- belong. Perhaps the file needed access to was too sensitive to be
- placed
- on the company share.
-
- So, after pushing for a long time I am finally making some headway in
- acceptance of redoing the layout.
-
- Ideally we end up with department folders accessible only to
- department
- staff, but beyond this any layout I can think of doesn't scale well.
- My though is to begin a folder structure where folders are named
based
- on who has access, like:
- "DepartmentA - DepartmentB"
- If permissions are set right you only get to see folders where you
- have
- files related to what you do. However, with 20 departments or so,
what
- happens when seven'ish departments needs access to a file. Folder
- names
- become quite long and I doubt this scales well should the company
grow
- significantly.
-
- The server holds roughly 1.2TB of miscellaneous flat file data. Word
- docs, excel spreadsheets, PDF's etc. etc. Nothing fancy. And we are a
- Windows shop.
-
- What works for others?
- Do you at some point lean back and say I can't get permissions as
- granular as I like without being a serious nuisance to the end users?
-
- I feel this is rather trivial but I can't seem to come up with a
- solution that is somewhat future proof.
-
- Thank you
-
- Nick

This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged,
confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby
notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in
reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please
notify the sender that this message was received in error and then delete this message.
Thank you.

Current thread:

Designing file server file/folder structure. Nick Vaernhoej (Oct 06)
- RE: Designing file server file/folder structure. Murda Mcloud (Oct 07)
- Re: Designing file server file/folder structure. Kurt Buff (Oct 07)
- RE: Designing file server file/folder structure. Nick Vaernhoej (Oct 21)