locked
CIFS Security project plan RRS feed

  • Question

  • Currently at my business we have 5 file shares hosting different department and group data. The ntfs permissions of said shares are a nightmare that would make most security professionals cry. I am trying to build a project plan that will outline what a new file share management solution would be like. For the most part it would be high level department shares with second level shares as the respective department desires with read write and read only groups. The problems arise that there is more interdeparment work going on here that i am used to in previous employment. So i get many requests like "Can user1 have access to this file which is 6-7 levels down and only this file1". The behavior that has happened for years before my arrival is that the admins would stick the user account right at that level by name so you would only know about that permission if you happen to look at that file. 

    I have a basic skeleton of what i want to do but i have never done a high level project like this before. Does anyone have a whitepaper or resource that would give me some best practices for this kind of project. I need to start somewhere and googling "ntfs security project plan" or something along those lines lead me astray. I know there is talent here to kick me in the right direction. Maybe even in this forum!

    I should mention that i understand these basics. http://technet.microsoft.com/en-us/library/cc782737.aspx

    i also add my reply from below that maybe has the more core part of my request

    I know how to make a NTFS share. Basic shares need RO and RW roles. I need to know how to deal with the human factor with requests like "I would like UserA to have write access to just one file in \\file01\sales\data\proposals\draft\2012\proposal.docx". There would be inheritance from the DATA level that should handle this but i should be making ACL different at that level i would think as it undermines the basic inheritance. Making it hard for other admins to map out and understand the security structures. 

    • Edited by Negative Zero Monday, December 3, 2012 5:07 PM clarification
    Thursday, November 29, 2012 10:36 PM

Answers

  • I think if the request is "I need userA to have write access to just this file in...", then the response would be, "Well, then that file doesn't belong in this folder.", and you'd have to consider another situation that may require another look at how you've created the folder hierarchy.  

    Creating policy means adhering to and enforcing policy. 


    Kevin Remde US DPE - IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde http://twitter.com/kevinremde

    • Proposed as answer by Kevin Remde Tuesday, December 11, 2012 8:49 AM
    • Marked as answer by Kevin Remde Wednesday, December 12, 2012 3:18 PM
    Monday, December 10, 2012 12:15 PM
  • We've dealt with this type of thing by developing additional folders within our heirarchy with shares specific to cross-department groups.  So we may have an "Accounting and Billing" share, or a "Bob from Sales and Gina from Administration" share.  They all live within the parent "DEPT" shared folder, but are purpose built as to avoid the headaches of having to grant and revoke very granular access that can occur when certain individuals from one department need access to files that someone from another department also needs access to.

    Kevin Warner

    • Proposed as answer by Kevin Remde Tuesday, December 11, 2012 8:49 AM
    • Marked as answer by Kevin Remde Wednesday, December 12, 2012 3:18 PM
    Tuesday, December 11, 2012 12:22 AM

All replies

  • so a basic ntfs share /.?

    Guowen Su
    Cisco Certified Network Associate
    Cisco Certified Internetwork professional - MPLS
    Certified Information Systems Security Professional
    Microsoft Partner Network 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator:Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Certified Ethical Hacker
    Computer Hacking Forensics Investigator
    Certified Sonicwall Security Administrator
    Microsoft Geeks

    Saturday, December 1, 2012 5:16 PM
  • How about we "google-it on BING", and search for "ntfs file system security share best practices" : http://www.bing.com/search?q=ntfs+file+system+security+share+best+practices&src=IE-TopResult&FORM=IE10TR

    There are many good results there. 

    A forum thread I found through that search had some really good links to best practice articles:  http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/b7b736dc-2dad-43a5-a07e-48f2eed4ecdc

    Hope this helps,

    Kevin


    Kevin Remde US DPE - IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde http://twitter.com/kevinremde

    • Marked as answer by Kevin Remde Sunday, December 2, 2012 3:27 PM
    • Unmarked as answer by Negative Zero Wednesday, December 5, 2012 1:56 PM
    Sunday, December 2, 2012 3:27 PM
  • I will have a look at the threads you posted. The fact that you linked to bing makes my stomach turn. 
    Monday, December 3, 2012 4:52 PM
  • I know how to make a NTFS share. Basic shares need RO and RW roles. I need to know how to deal with the human factor with requests like "I would like UserA to have write access to just one file in \\file01\sales\data\proposals\draft\2012\proposal.docx". There would be inheritance from the DATA level that should handle this but i should be making ACL different at that level i would think as it undermines the basic inheritance. Making it hard for other admins to map out and understand the security structures.  
    Monday, December 3, 2012 4:59 PM
  • Get over it.  You're in a Microsoft forum.  You expect me to send you to some inferior search engine whose top results are all paid-for advertisements?

    Kevin Remde US DPE - IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde http://twitter.com/kevinremde

    Monday, December 3, 2012 5:14 PM
  • Sorry if i hit a nerve. Bing gets a bad rap for being inferior. I would like to think that no one clicks on the advertisments on the top of the page. Its a search engine. The both have similar results. 
    Monday, December 3, 2012 7:52 PM
  • Nah you hit no nerves :) we are open to your suggestion. If there is anything that we could assist please post because what we suggested to you will always be microsoft and nothing else better than it. Because that's the best and is proven by us.

    Guowen Su
    Cisco Certified Network Associate
    Cisco Certified Internetwork professional - MPLS
    Certified Information Systems Security Professional
    Microsoft Partner Network 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator:Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Certified Ethical Hacker
    Computer Hacking Forensics Investigator
    Certified Sonicwall Security Administrator
    Microsoft Geeks

    Tuesday, December 4, 2012 2:31 AM
  • I might be misunderstanding this particular forum but i am really looking for a planning type response.. In general I know how to make a NTFS share. Basic shares need RO and RW roles. I need to know how to deal with the human factor with requests like "I would like UserA to have write access to just one file in \\file01\sales\data\proposals\draft\2012\proposal.docx". There would be inheritance from the DATA level that should handle this but i should be making ACL different at that level i would think as it undermines the basic inheritance. Making it hard for other admins to map out and understand the security structures.  

    How would you deal with response?

    Tuesday, December 4, 2012 2:07 PM
  • I think if the request is "I need userA to have write access to just this file in...", then the response would be, "Well, then that file doesn't belong in this folder.", and you'd have to consider another situation that may require another look at how you've created the folder hierarchy.  

    Creating policy means adhering to and enforcing policy. 


    Kevin Remde US DPE - IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde http://twitter.com/kevinremde

    • Proposed as answer by Kevin Remde Tuesday, December 11, 2012 8:49 AM
    • Marked as answer by Kevin Remde Wednesday, December 12, 2012 3:18 PM
    Monday, December 10, 2012 12:15 PM
  • We've dealt with this type of thing by developing additional folders within our heirarchy with shares specific to cross-department groups.  So we may have an "Accounting and Billing" share, or a "Bob from Sales and Gina from Administration" share.  They all live within the parent "DEPT" shared folder, but are purpose built as to avoid the headaches of having to grant and revoke very granular access that can occur when certain individuals from one department need access to files that someone from another department also needs access to.

    Kevin Warner

    • Proposed as answer by Kevin Remde Tuesday, December 11, 2012 8:49 AM
    • Marked as answer by Kevin Remde Wednesday, December 12, 2012 3:18 PM
    Tuesday, December 11, 2012 12:22 AM