Re: Periodic reviews of Windows file shares

[Frank Barton <bartonf () HUSSON EDU>]

We're effectively doing the same thing as Mandi

the one thing that we did find, is that for folks with multiple folders on
the same volume (we make extensive use of DFS) if they move files or
folders, it doesn't reset the permissions, so we have scheduled icacl
scripts that just do through the root-level folders enforcing the
permissions

Frank

On Fri, Jan 4, 2019 at 2:38 PM Mandi Witkovsky <witkovsm () pfw edu> wrote:

> We’re on the tail end of a massive audit of our network shares, so I feel
> your pain.  For the last 5 years (for as long as we have had a dedicated
> security & identity team) we have ensured that for any new folder
> creations, we were granting access via a unique security group only at the
> root level folder.  Prior to that, access was granted pretty much
> willy-nilly at any level of the folder structure, sometimes using a group
> but sometimes based on OU or username.  Basically whatever changes our
> users asked for were carried out, more or less unquestioned.  What a mess
> that was to keep track of.
>
>
>
> Our cleanup process entailed getting a report of the current access
> controls for all folders (mapped as drive letter “O”) and then for anything
> that was outside of our current standard (one root folder, one group) we
> “fixed the glitch”.   In some cases, this meant creating a new root level
> folder with a new security group.  In other cases, we removed the
> extraneous permissions and ensured the membership of the group was
> appropriate.  It was a lot of work but it leaves us in a better place.
>
>
>
> From this point forward, audits should be much easier.  All our groups are
> named a certain way (o-foldername) and the group’s description indicates
> owner, purpose, and department.  Running a report of access controls should
> show whether access is being granted only at the root level, and then it’s
> a matter of contacting owners to make sure the folder is still needed and
> the membership is correct.  And breaking the fingers of any sys admin that
> grants access on a subdirectory.  J
>
>
>
> We’re a relatively small central IT shop, and we just don’t have the
> manpower to properly maintain complicated file permissions for every
> department on campus.  We made one exception for a department that has
> their own IT technician and a very complicated set of folder permissions
> which they wanted to maintain.  For this we laid down the ground rules and
> gave them the access to manage it on their own.
>
>
>
> mandi
>
>
>
>
>
> Mandi Witkovsky
> Manager of Security and Identity
>
> Information Technology Services
> Purdue University Fort Wayne
>
> witkovsm () pfw edu
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Security Community Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Jared Evans
> *Sent:* Friday, January 4, 2019 10:23 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Periodic reviews of Windows file shares
>
>
>
> What are some of your best practices or recommendations on how to
> effectively conduct periodic access control reviews of large Windows file
> shares, which can span many folders and groups?
>
>
>
> While we keep track and document any access control changes to the shares
> over time, we would also like to conduct reviews of how the access to the
> shares are actually set.  A comprehensive report listing all the access
> control settings of file shares would be massive and I would like to see if
> there are any other approaches I can undertake for quick and effective
> reviews.
>
>
>
> --
>
> [image:
> https://docs.google.com/uc?export=download&id=0B06ctamGLs2hSzVkWTREblhkS0E&revid=0B06ctamGLs2hcERDbFA5bHFLY01XU0VLV2Z0Z3VGR1dQY25ZPQ]
>
> Jared Evans
> Information Security Officer
> Gallaudet Technology Services
> Gallaudet University
>
> jared.evans () gallaudet edu


-- 
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University