Open Access or unrestricted file share access is an inevitable condition that exists in most, if not all, enterprise environments. Many organizations create ‘Open Shares’ to allow end-users an easy way to access resources.
What is an Open Share?
These shares are open in the sense that access to them is unrestricted at both the Share and NTFS levels, meaning most end users can access them. This is achieved by the use of ‘Open Access Groups’ such as the built-in groups listed below:
- Everyone – This group encompasses all users that have authenticated to the system using a valid set of credentials, as well as built-in accounts including GUEST and LOCAL_SERVICE.
- Authenticated Users – This group is a subset of the Everyone group, excluding non-password protected built-in accounts such as GUEST.
- Anonymous Logon – This built-in security group includes users or services that access resources over a network connection by using a null user account name, domain and password.
- Domain Users – The domain users group is a default group within Active Directory to which all user accounts are added by default.
By default, when you create a CIFS share in Windows and many other operating systems, the Everyone group is granted read access at the share level, leaving administrators to lock down access through the NTFS permissions. This is a best practice from Microsoft and is completely fine as long as admins are taking the appropriate steps to lock down access.
While some shares are intentionally left open, over time, the number of open shares inevitably grows beyond expectations due to things like sloppy access provisioning within Active Directory, complex group nesting structures, or even just lazy administrators.
Why are Open Shares a Problem?
This quickly becomes a problem when sensitive data such as PII or PCI data is contained within these open repositories. A Ponemon Institute study showed that 71% of employees say they have access to data they shouldn’t have and that this access is “frequent” or “very frequent”.
Now, in the event of a data breach, the attacker has essentially been given an open door to potentially valuable data, even when using the lowest level credentials. In this case, the attacker doesn’t need to go through the additional credential theft exercises that would typically raise the red flags that organizations are prepared to detect
A Pragmatic Approach to Eliminate Open Shares
Here at STEALTHbits, we work with clients day in and day out to help remediate this open share epidemic and have developed a proven approach to do so. It comes down to four basic steps
- Discover and Identify Open Shares
- Determine Who Should Have Access
- Create Resource-Based Groups
- Remediate Inappropriate Access to Open Shares
Discover and Identify Open Shares
The first step in remediating open shares is knowing where they exist. With a solution such as StealthAUDIT for File Systems, you have the ability to scan your entire environment to discover and identify open file shares.
The approach here is flexible, with the built-in capability of identifying areas where the combination of share and NTFS permissions expose data through the open-access groups mentioned earlier in this post, along with the ability to specify additional Active Directory or local groups that administrators know provide a similar level of access.
Determine Who Should Have Access
Much of the reason that Open Shares are created in the first place is due to the fact that it can sometimes be difficult to determine who should actually have access to a given set of resources. For example, it may be easy to assume that the members of the Marketing department are the only folks who would ever need access to the Marketing Share, but what about when the Product Management team is collaborating with Marketing on a new campaign or new collateral? Then, in this case, it may be appropriate to grant some level of access to the Product Management team.
StealthAUDIT leverages historical knowledge of who actively accesses the data where, and to what capacity, to make the intelligent decision of who should have access to a given resource. And these decisions aren’t made in a black box. With the proven ability to determine data owners, and visibility into Active Directory to understand organizational hierarchy, the right audience is able to approve any level of access that will be granted.
Create Resource-Based Groups
A resource-based groups access model makes it easy to manage access on a resource by resource basis. The StealthAUDIT approach leverages our knowledge of who actively access this information and to what capacity to automatically create and populate Active Directory groups for each level of access required on a per-share basis, and goes a step further to actually assign the appropriate access. This step is important because it not only ensures that the folks who need access are getting it but also removes folks who have access but are not using it.
This approach also helps to streamline the self-service process, making it easy for end-users to request and be granted access through these new resource-based groups, while also making the entitlement review process easier.
Remediate Inappropriate Access to Open Shares
Once these resource-based groups have been assigned, you can safely remove the access for the open-access groups that were previously provisioned, without fear of locking users out of shares they need to which they need access. StealthAUDIT provides state in time reports to easily display an organizations progress through this open share remediation process.
Maintain a Least Privilege Model Going Forward
Now with this approach, you’ve been able to remediate the open shares that you know about today, but what about tomorrow? Open shares pop up day after day, month after month, year after year, so it’s important to automate and maintain this process for open share discovery and remediation.
Using software such as StealthAUDIT lets you automate this process with ease, providing regular discovery of open shares, easy determination of data owners, and a proven process to remediate this condition without disrupting day to day work.
Farrah Gamboa is a Director of Technical Product Management at Stealthbits Technologies. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University