|The following excerpt series from Chapter 2 of the free eBook "The Definitive Guide to Securing Windows in the Enterprise" (Realtimepublishers) is written by Don Jones. To obtain all eBook chapters from this guide, go to cc.realtimepublishers.com.|
Consistent file permissions are crucial to enterprise security. As I've already mentioned, client computers often contain many confidential files, but client computers are often perceived as being less critical from a file permissions viewpoint. This position is dangerous: Imagine the damage that could be caused if someone swiped a company laptop in an airport waiting lounge, for example.
|Companies dealing with regulatory compliance issues -- such as the Health Insurance Portability and Accountability Act (HIPAA), for example -- should be very concerned about the security of files on client computers. Some organizations might want to keep files from being stored on client computers -- a topic I'll address in the next few sections. However, sometimes allowing users to keep local copies of files -- especially on laptops -- is unavoidable. In those situations, having the correct file permissions in place is critical to maintaining your compliance.|
Windows security templates can be used to create a consistent NTFS permissions structure. For example, the Setup Security.inf security template -- shown opened in the Security Templates console in Figure 2.8 -- applies the starting security permissions for the entire OS. Figure 2.8: Using security templates to manage NTFS permissions.
Figure 2.8: Using security templates to manage NTFS permissions.
You can create your own security templates, import them into a GPO, and apply them to a domain, site, or OU. Templates are a decent way to configure consistent NTFS permissions for a particular folder structure across a large number of computers. However, templates are far from a perfect solution. For example, they require all targeted computers to have an identical folder structure (at least within the folder structure you're defining in the template), which isn't always the case. Further, templates provide no reporting capability, which would allow you to easily verify the NTFS permissions applied to a given file or folder.
Third-party tools can, however, provide a robust level of reporting and help manage security more easily. BindView Corporation makes a suite of products designed to help organizations better meet regulatory and industry standards, including security permissions and auditing settings on files.
ScriptLogic Enterprise Security Reporter helps you effectively manage security and can also provide robust reports for client-level security. Although Enterprise Security Reporter is intended primarily for reporting on server-based security, many of its functions can be useful for client-based security as well. In a compliance environment, you might even be required to provide these types of reports for your client computers. The tool starts by loading security information from targeted computers into a SQL Server database, which allows you to then instantly obtain security reports, such as reports on which users have specific permissions under a given folder hierarchy. Figure 2.9 shows a sample report, listing the users that have permissions under a specified folder. This type of report is excellent for compliance management, because it lets you quickly verify that only the proper users have permissions on folders known to contain confidential information.
Figure 2.9: Viewing permissions assigned to a specified folder.
For a more interactive security tool, ScriptLogic Security Explorer allows you to create scopes, which are collections of targeted security elements -- including, for example, folders. Figure 2.10 shows Security Explorer examining the permissions on a folder that has been added to a scope; this folder might be an application data folder, for example.
Figure 2.10: Viewing security permissions through Security Explorer.
Once you have a scope established, you can conduct searches on it, modify its permissions, and so forth. For example, in Figure 2.11, I'm conducting a search on a scope named Clients. I might look for anything within the scope that assigns permissions to the Everyone group, or for permissions assigned to a particular user or group. I can search permissions on files, folders, and subfolders within the scope, and I can restrict the search to a particular set of permissions. By using this powerful search mechanism, I can quickly locate undesirable permissions, then use Security Explorer to remove or modify them.
Figure 2.11: Searching a scope in Security Explorer.
These tools can all help you maintain more consistent permissions. Of course, don't forget about freely available tools for managing permissions, such as Windows' built-in Cacls.exe command-line tool and the more flexible Windows resource kit tool, XCacls.exe. Although less suitable for administration of multiple computers, these tools can allow you to quickly reconfigure security permissions in a folder hierarchy on a single machine, and they can be used in a batch file to make it easier to make changes across multiple machines at once.
However, bear in mind that maintaining consistent permissions across multiple client computers will always be difficult. A better idea, if possible, is to simply get the files off of the client computers entirely.
Click for the next excerpt in this series: Folder redirection
This was first published in October 2005