File Servers continue to be the dominant storage systems for corporate content files, folders and documents. Your File server data is accessed by different users in the organization for secure storage and retrieval of data running to several thousands of gigabytes residing in various networked storage servers. Windows NTFS provides a comprehensive security model to store and retrieve file server data by letting users decide and enforce who can access what and perform what actions on files, folders and documents. With the volume of corporate file server data exploding in the past decade, organizations require policy driven security measures to protect their information assets.
File server security threats are often a result of internal violation of security policies and guidelines by users and administrators usually find it difficult to mitigate such threats due to the number of users accumulating and accessing huge volumes of data over a period of time. Internal threats are highly likely to be present in Shares, Folders and Files (including deeply hidden ones) and cause potential security vulnerabilities unless they are minimized by sound security management policies and guidelines. Security issues in Windows File Servers may arise due to complex group memberships, inadvertent sharing of folders and files using NTFS Shares, inappropriate NTFS permissions such as Full Access to folders and so on. Many of these and more may give rise to potential security threat points that may cause security breaches resulting in loss of confidential data.
A periodic file server security audit must be conducted to reveal who has access to which NTFS Shares, Folders and Files. Analyzing Group memberships of users, including nested group memberships, will expose deeply hidden security vulnerabilities in files and folders. A thorough security audit on users shares, folders and files should determine which users have access to what data and what net effective permissions are available to them to perform Read, Write, Delete and Modify operations among others.
When a user leaves the organization all the user folders and files must be brought under the control of the administrator or the line manager. Usually the user is deprovisioned in Active Directory but the user’s folders and files are left untouched and all the permissions granted to the user to other folders and files are also left untouched. This is because File server security is not automatically handled based on Active Directory changes to user objects. As a result the permissions of orphaned users in the form of unresolved security identifiers (SIDs) continue to linger in shares, folders and files.
Administrators follow a standard procedure of folders inheriting a standard set of permissions from the root or parent folder. However, due to sudden needs in solving operational data access issues, users end up granting explicit permissions to their folders to other users and groups. A proper audit mechanism must scan for all explicit permissions and report any changes to standard permissions inherited by child folders in the folder tree.
For all sensitive shares and folders, auditing must be enabled on file servers to determine what actions have been performed and what changes have occurred. An Active Directory change audit report must determine who did what and when on all confidential folders and files. All audited events must to stored, retrieved and analyzed for forensic analysis and compliance.