Security Basics mailing list archives
Re: Access Management on file shares and client-server apps
From: krymson () gmail com
Date: Tue, 22 Nov 2011 21:51:14 GMT
Yes, you're absolutely right. I hadn't meant to say, specifically, that you don't have to back up your practices with actual ACL scanning. I was entirely relying on the idea that you only do it by groups/AD manipulation and nothing else. And yet, even then you want to verify...! :) Thanks for fixing that for me, Ansgar! <- snip -> On 2011-11-14 krymson (at) gmail (dot) com [email concealed] wrote:
Including "desktop client-server applications" may confuse the issue quite a bit. I'll read this as: You want to find a way to audit and maybe track changes to permissions settings on Microsoft folders. (I'll ignore share permissions, since share permissions should just be open and NTFS is where you should be explicit; but that itself is an arguable viewpoint...) It's been years since I used it, but I always liked ScriptLogic's Enterprise Security Reporter. It should be able to scan a folder location, interrogate the NTFS permissions, and generate a nice report that tells you all the effective permissions. I can't comment on how it tracks changes. If you're good about managing NTFS permissions properly by never assigning explicit AD *user accounts* permissions to folders and instead only assigning AD *groups* (that users are members of) to folders, you could get away with just interrogating AD groups and memberships. At that point you'll be looking at Active Directory change management/audit tools that tell you when new groups are made and when those groups are modified with new or removed users (or track user changes similarly).
Monitoring changes to AD groups is not sufficient if the task is to track changes to permissions on files or folder. Even if you properly handle access through group memberships, there's still the possibility that permissions for some group were added to or revoked from a file or folder. If you want to track changes to permissions, SACLs are the way to go (see e.g. [1]). If you want to analyze the current permissions, there is a variety of tools you can use, like ntfsacls [2], DumpSec [3], or my own script AuditACLs.vbs [4] (if you'll forgive the shameless plug). [1] http://www.windowsitpro.com/article/permissions/auditing-permission-chan ges-on-a-folder [2] http://www.coopware.in2.info/_ntfsacl.htm [3] http://www.systemtools.com/somarsoft/ [4] http://www.planetcobalt.net/sdb/auditacls.shtml Regards Ansgar Wiechers -- ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Access Management on file shares and client-server apps marck e. (Nov 09)
- RE: Access Management on file shares and client-server apps Hung Lee (Nov 09)
- RE: Access Management on file shares and client-server apps William Baltas (Nov 09)
- <Possible follow-ups>
- Re: Access Management on file shares and client-server apps krymson (Nov 14)
- Re: Access Management on file shares and client-server apps Ansgar Wiechers (Nov 14)
- Re: Access Management on file shares and client-server apps krymson (Nov 22)
- RE: Access Management on file shares and client-server apps Hung Lee (Nov 09)