Educause Security Discussion mailing list archives
Re: Periodic reviews of Windows file shares
From: Frank Barton <bartonf () HUSSON EDU>
Date: Fri, 4 Jan 2019 14:54:20 -0500
We're effectively doing the same thing as Mandi the one thing that we did find, is that for folks with multiple folders on the same volume (we make extensive use of DFS) if they move files or folders, it doesn't reset the permissions, so we have scheduled icacl scripts that just do through the root-level folders enforcing the permissions Frank On Fri, Jan 4, 2019 at 2:38 PM Mandi Witkovsky <witkovsm () pfw edu> wrote:
We’re on the tail end of a massive audit of our network shares, so I feel your pain. For the last 5 years (for as long as we have had a dedicated security & identity team) we have ensured that for any new folder creations, we were granting access via a unique security group only at the root level folder. Prior to that, access was granted pretty much willy-nilly at any level of the folder structure, sometimes using a group but sometimes based on OU or username. Basically whatever changes our users asked for were carried out, more or less unquestioned. What a mess that was to keep track of. Our cleanup process entailed getting a report of the current access controls for all folders (mapped as drive letter “O”) and then for anything that was outside of our current standard (one root folder, one group) we “fixed the glitch”. In some cases, this meant creating a new root level folder with a new security group. In other cases, we removed the extraneous permissions and ensured the membership of the group was appropriate. It was a lot of work but it leaves us in a better place. From this point forward, audits should be much easier. All our groups are named a certain way (o-foldername) and the group’s description indicates owner, purpose, and department. Running a report of access controls should show whether access is being granted only at the root level, and then it’s a matter of contacting owners to make sure the folder is still needed and the membership is correct. And breaking the fingers of any sys admin that grants access on a subdirectory. J We’re a relatively small central IT shop, and we just don’t have the manpower to properly maintain complicated file permissions for every department on campus. We made one exception for a department that has their own IT technician and a very complicated set of folder permissions which they wanted to maintain. For this we laid down the ground rules and gave them the access to manage it on their own. mandi Mandi Witkovsky Manager of Security and Identity Information Technology Services Purdue University Fort Wayne witkovsm () pfw edu *From:* The EDUCAUSE Security Community Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jared Evans *Sent:* Friday, January 4, 2019 10:23 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* [SECURITY] Periodic reviews of Windows file shares What are some of your best practices or recommendations on how to effectively conduct periodic access control reviews of large Windows file shares, which can span many folders and groups? While we keep track and document any access control changes to the shares over time, we would also like to conduct reviews of how the access to the shares are actually set. A comprehensive report listing all the access control settings of file shares would be massive and I would like to see if there are any other approaches I can undertake for quick and effective reviews. -- [image: https://docs.google.com/uc?export=download&id=0B06ctamGLs2hSzVkWTREblhkS0E&revid=0B06ctamGLs2hcERDbFA5bHFLY01XU0VLV2Z0Z3VGR1dQY25ZPQ] Jared Evans Information Security Officer Gallaudet Technology Services Gallaudet University jared.evans () gallaudet edu
-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- Periodic reviews of Windows file shares Jared Evans (Jan 04)
- Re: Periodic reviews of Windows file shares Mandi Witkovsky (Jan 04)
- Re: Periodic reviews of Windows file shares Frank Barton (Jan 04)
- Re: Periodic reviews of Windows file shares Mandi Witkovsky (Jan 04)