User access and permissions to data are excessive – especially within network file share infrastructure – due in large part to the highly complex and/or error-prone processes administrators have been forced to navigate over the years. Adding insult to injury, the location of sensitive data within shared file systems is largely unknown in most organizations, which is a problem given this type of data is a target in virtually every breach scenario.
Securing a file share isn’t too difficult if you can collect the right data. The goal should be to follow the principle of least privilege–limit access rights and the permissions users have to the data to the lowest level possible, while also avoiding any impact to the user in being able to do their job.
Assuming you’ve already identified the file share or shares you want to secure, here are 8 steps to help you go from an unmanageable situation to the real-world instantiation of a least privilege access model.
Start by reviewing the share’s Access Control List (ACL) and record each User and Group object listed. Be sure to review each Group carefully, expanding the Group’s membership as deeply as needed to obtain a complete view into each and every User within each Group and Nested Group.
Next, take inventory of the permissions each User and Group have been given to the share. Unless special permissions have been applied, one or more of the following permission levels will be set to “Allow” or “Deny”; Full control, Modify, Read & execute, List folder contents, Read, and Write.
Understanding the data you’re dealing with can help tremendously in determining proper outcomes when securing Windows or NAS file shares. Take inventory of meaningful file attributes like file Type, Date Modified, Authors, and Tags. If possible, also scan the files for the existence of sensitive information of various types, including Personally Identifiable Information (PII), Credit Cards, Social or National Identity Numbers, Health Records, and more. Don’t forget about images. They can just as easily contain sensitive information as well, and will require OCR scanning capability to address en masse.
One of the most critical steps in securing a file share is understanding how users are interacting with the data and the specific operations they’re performing. It’s quite common for many users to have access to data and at varying permission levels, but it’s also common to discover that most users are not leveraging the access or permissions they have. By observing file activity over time and comparing it to the original list of users who have access and their permission levels, you can quickly determine who needs access and at which permission level.
The resultant list of users should be broken into two categories: those who need only Read access and those who need Read and Write access.
The best way to achieve and maintain fine-grained control over any resource is through the use of Resource-Based Groups. As opposed to Role-Based Groups (combining like individuals into generalized groups that are commonly used across many resources), Resource-Based Groups are only to be used for supplying access to one specific resource. In this case, a file share.
It is recommended to create at least three (3) Resource-Based Groups per share, using a consistent and understandable naming convention. For instance:
Using your list derived from having gone through Steps 1 through 4, populate the Read and ReadWrite groups with the appropriate Users.
NOTE: All users that had access previously but never used their access have been eliminated from group membership consideration at this point.
Once the new Resource-based Groups have been populated with the right members, permission them to the file share’s Access Control List (ACL).
The last step is to remove the legacy User and Group assignments from the share’s Access Control List.
The result is a clean, instantly understandable, maintainable access model for your file share/s that provides the right users with the right level of permission to your data. When done properly, end users should never even know their access changed, as effectively everyone that used their access still has it and their permission level will be consistent with what they actually used. New users wanting access to the data can be safely placed inside of the Read or ReadWrite groups for the resource moving forward, without fear of inadvertently granting access to other resources in the organization.
As General Manager, Adam is responsible for product lifecycle and market adoption from concept to implementation through to customer success. He is passionate about market strategies, and developing long-term path for success for our customers and partners.
Previously, Adam served as CMO and has held a variety of senior leadership positions at Stealthbits – now part of Netwrix including Sales, Marketing, Product Management, and Operational Management roles where his focus has consistently been setting product strategy, defining roadmap, driving strategic engagements and product evangelism.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.
Adopting a Data Access Governance strategy will help any organization achieve stronger security and control over their unstructured data. Use this free guide to help choose the best available solution available today!Read more
Start a Free Stealthbits Trial!
No risk. No obligation.