Every admin worth his or her salt knows all about how to set up network file sharing in their Windows environment. The process is a fairly simple one and hasn’t really changed since Windows 2003. The difficulty comes when admins are asked to amend permissions to folders on a daily basis.
If admins are being asked to assign permissions to folders continuously, there may be a tendency at some point in the process to lose sight of the big picture in terms of network share permission. Often, this kind of ad hoc permissions modifications leads to an environment where the permissions are too inclusive, with many users in a state of excessive privilege.
One of the main reasons for this tendency is a lack of communication between departments. The IT team is not made aware of what particular permissions an employee requires to perform their role effectively, when an employee’s role changes. or if an employee leaves the organization. It can be difficult for even the most organized enterprises to visualize how their file permissions should be structured.
In this article, we will discuss three ways in which admins can overcome the difficulties associated with network share permissions.
1. Structure Your Permissions Better
It’s vital that admins have a policy in place for folder permissions and permission changes to ensure the environment doesn’t spiral out of control. In general, folder permissions fall into three categories; directly applied permissions, inherited permissions and hybrid permissions.
Experts recommend that, when organizing your permissions structure, you attempt to remove all hybrids and focus on a more dual-based model. Folders should be inheriting either all or none of their permissions. Then you should standardize your existing group permissions.
One pro tip is to use only group permissions, even if that involves creating a group for one individual. It’s far easier to manage this than it is to manage a complex network of individual permissions.
2. Communicate Better with Data Owners
As previously stated, part of the reason that permissions sprawl out of control is because the IT team cannot work out what permissions a user requires to perform their job effectively. In these cases, they tend to award extra permissions just to be on the safe side.
The IT team needs to communicate with the data owners (usually managers of other departments) to find out what users really need access to. Data owners are in the best place to guide the IT team into implementing a policy of least privilege, where users only have access to the folders they require to perform their jobs effectively.
3. Proactively and Continuously Monitor
After setting up folder access policies, communicating better with data owners and regularly reviewing permissions, there is still more work to be done. Awarding permissions to sensitive data to any user in the network, regardless of seniority and trustworthiness, increases the risk of data breaches through privilege abuse. That’s why it’s incredibly important to proactively and continuously monitor your user interactions with data and permission changes.
You should be trying to spot anomalous user behavior or behavior that could be considered suspicious. You should also make sure that you know about any permission changes that take place so that you can review them to determine whether they are necessary. Through monitoring such as this, you will be able to see whether your permissions structure can be changed or whether users are trying to access data they are not permitted to.
Unfortunately, doing this kind of monitoring using native methods simply won’t be possible. It’s too time consuming and doesn’t provide the kind of detailed information you require.
It just so happens that we have a File Server auditing solution called LepideAuditor that will allow you to monitor permission changes, analyze current permissions and track user interactions with files and folders. To learn more about LepideAuditor, start your 15 day free trial today.