Re: RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing

["Miller, Don C." <donm () UIDAHO EDU>]

I forgot to mention you can use icacls to audit permissions for your filesystem.  JRB software has their jrbutils for 
AD/Netware and the netware filesystem tools can export as cacls/icacls commands (if I remember correctly).  We opted 
against this to comply with permission control policies with the university.

Don

-----Original Message-----
From: Miller, Don C. 
Sent: Wednesday, February 24, 2010 11:53 AM
To: The EDUCAUSE Security Constituent Group Listserv
Subject: RE: [SECURITY] RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing

We only allow permissions to be set at a specific level in our shared content and it must be group based.  This was to 
address the exact problem below with migrating from netware to a non-netware NTFS-aware solution.  This rigid control 
also allows our first level support to be able to assess permissions simply by group membership without any rights to 
the filesystem.  We also use a common prefix for our 'shared spaces' of ss- groups.  We try to follow Microsoft's AGDLP 
so the "ss" groups are DL and we nest functional global groups.

Example:
User: jvandal
Group Members: helpdesk-employees
Shared Space Group: ss-filesystem1-helpdesk (helpdesk-employees is a member) Rights are assigned to 
ss-filesystem1-helpdesk

The Help Desk can easily view the nested "ss-" groups for jvandal to identify all the shared spaces he has access to.  
This requires not allowing any permission controls for end users.  We have a method for delegating group management to 
owners in each department via our self-service web tools.

Our migration, last year, with this method went smoothly.  The only trouble was saying "no" to customers who previously 
had very odd organizing habits for their shared spaces.

The other side benefits are the ss- groups are mail enabled so we can easily send email to specific share/folder users.

Don Miller
University of Idaho

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Will 
Froning
Sent: Tuesday, February 23, 2010 9:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing

Hello All,

On Tue, Feb 23, 2010 at 2:02 AM, Chris Green <cmgreen () uab edu> wrote:
> Try:
>
> http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
>
> AD does do a good job of displaying what GROUPS someone is a member of so if you can enforce most permissions are 
> done by group, you can take care of most of your typical edge cases.  However, it just takes one lazy ACL to get that 
> to be a "scan everything".
>
> On the same topic, anyone know a simple way to do similar for SharePoint?

I've never used this, but I think it does what you both need:

<http://www.scriptlogic.com/products/enterprisesecurityreporter/>

Having said that, we use group-based share permissions.  So we don't really mess with NTFS.  It puts more of the onus 
on central IT for the initial setup, but we know/think it's done right.

Thanks,
Will

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Conlee, Keith
> Sent: Monday, February 22, 2010 3:40 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] RESENT - File Sharing with Active Directory (AD) - 
> migrating off of Novel File Sharing
>
> TOPIC:  Security and File Sharing using Microsoft Active Directory 
> (AD)
>
> I apologize for resending this message.  The first time my Subject line was the generic date/time of issue of the 
> current Security Digest and not about the topic of the text I posted.
>
> We implement file sharing with Novell but will soon be migrating off of Novell and implementing file sharing with AD. 
>  With Novell file sharing the files/folders a user has access to are attributes of the user's Novell account (under 
> the "Memberships", and "Rights to Files/Folders" tabs).  So it is very easy to find out what shared files/folders a 
> user has access just by looking at what in recorded in the user's individual Novell account information.  BUT with 
> implementing file sharing with AD, the designation of what files/folders a user has access is an attribute of each 
> file or folder (at Properties->Security tab).  So with AD file sharing it is extremely difficult to know what 
> files/folders an individual user has access to without going to each shared file/folder in the system and look to see 
> if the user has access to it.  HELP!
>
> QUESTION:  Is there a utility or a methodology out there somewhere that can be run against an AD file sharing 
> implementation that I can execute with "user ID" variable that will generate a report of what files/folders the 
> specified "user ID" has access to?
>
> Thanks for any help you can give.  If you just want to contact me directly, my contact information is below.
>
> Keith Conlee, CISSP, CBCP
> Chief Security Officer, IT
> College of DuPage
> 425 Fawell Blvd.
> Glen Ellyn, IL 60137-6599
>
> Ph. - 630.942.3055
> Fax. - 630.790.0325



--
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning