Featured content

On January 22, 2019, the United State Department of Homeland Security (DHS) released a warning for a DNS infrastructure hijacking attack against US government agencies.

Setting up network file sharing is one of those core IT practices that every Windows admin knows about and has implemented as part of their daily work. The basic mechanics of this have not dramatically changed since Windows Server 2003 and are relatively straightforward. However, after configuring the resource shares and the individual NTFS permissions for each folder, admins sometimes lose sight of the big picture as they handle daily permission requests on an ad-hoc basis.

CryptoLocker is by now a well known piece of malware that can be especially damaging for any data-driven organization. Once the code has been executed, it encrypts files on desktops and network shares and “holds them for ransom”, prompting any user that tries to open the file to pay a fee to decrypt them. For this reason, CryptoLocker and its variants have come to be known as “ransomware.”

The Payment Card Industry Data Security Standard (PCI DSS) is not just another list of requirements for protecting data. In 2013, the number of credit and debit card transactions worldwide reached over 100 billion—that’s lots of swipes and 16-digit numbers entered! With its almost 300 controls, PCI DSS provides the rules of the road for protecting and securing credit card data for every bank, retailer, or ecommerce site.

In our “Tips from the Pros” series, we’ll be the presenting interviews we’ve conducted with working IT professionals. These are the admins and managers responsible for security, access, and control of human-generated data—the fast growing digital element in organizations today. In this inaugural post, we spoke recently with one of our customers about managing large file shares and permissions.

I recently spoke with an IT administrator who had started a manual open share cleanup project—finding and locking down folders and SharePoint sites open to global access groups like Everyone, Domain Users and Authenticated Users. After removing the everyone group from several folders, they began to receive help desk calls from people who had been actively accessing data through those global access groups prior to their removal, and were now unable to perform their daily activities because they had lost access. This went on for two weeks or so—each time someone called, they had to apologize for the disruption, and quickly add that user to a group on the folder’s ACL.

In my post last week, Share Permissions, I promised I’d write a follow up post on “open shares.” Open shares, in a nutshell, are folders that are accessible to all (or pretty much all) of the people on the network. In the Windows world, these are folders are that are shared over the network via CIFS, and accessible to what are called “global access groups,” like Everyone, Domain Users, and Authenticated Users.

In one of our recent posts, What About Individual Users on ACL’s? I mentioned that some organizations have opted for using Windows share permissions instead of NTFS permissions for file shares. This approach goes against Microsoft’s recommendations, but it has one advantage: sharing permissions are applied more or less instantaneously, where NTFS permissions can take a long time to apply to all the files and folders in a big hierarchy. So what’s the downside? Three problems associated with using only share permissions are:

One question I received in response to our recent post about aligning windows security groups and automating entitlement reviews was, “If you’re using single-purpose security groups and managing them automatically with an automated solution like DataPrivilege®, why use groups at all? Why not just assign users directly to the ACL?” That’s a great question (even though the idea may seem like heresy in the windows world).