User access and permissions to data are excessive – especially within network file share infrastructure – due in large part to the highly complex and/or error-prone processes administrators have been forced to navigate over the years. Adding insult to injury, the location of sensitive data within shared file systems is largely unknown in most organizations, which is a problem given this type of data is a target in virtually every breach scenario.
Securing a file share isn’t too difficult if you can collect the right data. The goal should be to follow the principle of least privilege–limit access rights and the permissions users have to the data to the lowest level possible, while also avoiding any impact to the user in being able to do their job.
Assuming you’ve already identified the file share or shares you want to secure, here are 8 steps to help you go from an unmanageable situation to the real-world instantiation of a least privilege access model.
Step 1: Audit File Share Access
Start by reviewing the share’s Access Control List (ACL) and record each User and Group object listed. Be sure to review each Group carefully, expanding the Group’s membership as deeply as needed to obtain a complete view into each and every User within each Group and Nested Group.
Step 2: Collect File Share Permissions
Next, take inventory of the permissions each User and Group have been given to the share. Unless special permissions have been applied, one or more of the following permission levels will be set to “Allow” or “Deny”; Full control, Modify, Read & execute, List folder contents, Read, and Write.
Step 3: Gather File Metadata (Optional)
Understanding the data you’re dealing with can help tremendously in determining proper outcomes when securing Windows or NAS file shares. Take inventory of meaningful file attributes like file Type, Date Modified, Authors, and Tags. If possible, also scan the files for the existence of sensitive information of various types, including Personally Identifiable Information (PII), Credit Cards, Social or National Identity Numbers, Health Records, and more. Don’t forget about images. They can just as easily contain sensitive information as well, and will require OCR scanning capability to address en masse.
Step 4: Monitor File Activity
One of the most critical steps in securing a file share is understanding how users are interacting with the data and the specific operations they’re performing. It’s quite common for many users to have access to data and at varying permission levels, but it’s also common to discover that most users are not leveraging the access or permissions they have. By observing file activity over time and comparing it to the original list of users who have access and their permission levels, you can quickly determine who needs access and at which permission level.
The resultant list of users should be broken into two categories: those who need only Read access and those who need Read and Write access.
Step 5: Create Resource-Based Groups
The best way to achieve and maintain fine-grained control over any resource is through the use of Resource-Based Groups. As opposed to Role-Based Groups (combining like individuals into generalized groups that are commonly used across many resources), Resource-Based Groups are only to be used for supplying access to one specific resource. In this case, a file share.
It is recommended to create at least three (3) Resource-Based Groups per share, using a consistent and understandable naming convention. For instance:
- [Server Name]_[Resource Name]_Full Control
- Only Administrators ever go in this group
- [Server Name]_[Resource Name]_ReadWrite
- Only Users that have demonstrated a need for access beyond Read
- [Server Name]_[Resource Name]_Read
- Only Users that have demonstrated a need for Read access
Step 6: Populate Groups
Using your list derived from having gone through Steps 1 through 4, populate the Read and ReadWrite groups with the appropriate Users.
NOTE: All users that had access previously but never used their access have been eliminated from group membership consideration at this point.
Step 7: ACL Groups to File Share
Once the new Resource-based Groups have been populated with the right members, permission them to the file share’s Access Control List (ACL).
Step 8: Remove Legacy Access
The last step is to remove the legacy User and Group assignments from the share’s Access Control List.
The result is a clean, instantly understandable, maintainable access model for your file share/s that provides the right users with the right level of permission to your data. When done properly, end users should never even know their access changed, as effectively everyone that used their access still has it and their permission level will be consistent with what they actually used. New users wanting access to the data can be safely placed inside of the Read or ReadWrite groups for the resource moving forward, without fear of inadvertently granting access to other resources in the organization.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Adam Laub is the Senior Vice President of Product Marketing at STEALTHbits Technologies. He is responsible for setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization and all aspects of product evangelism.
Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization, including Sales, Marketing, and Operational Management roles.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.