How to Prevent Privilege Creep With FolderSecurityViewer

Ensuring the right access privileges are aligned with appropriate user roles is usually the headache of the IT department.

If there is a mismatch between a user’s responsibilities and their access privileges, it poses serious security risks, including data breach, exfiltration of sensitive information, and implantation of viruses and worms on the company’s systems.

In this article, we are going to talk about how to prevent privilege creep using a versatile tool known as FolderSecurityViewer.

What Is Privilege Creep?

Typically, privilege creep refers to the steady gathering of un-audited access rights beyond what a person requires to complete their tasks.

If a user requires rights to access an IT infrastructure, and sufficient justification has been given, those rights should be given.

However, when that same individual no longer needs those rights, and nothing is done to remove them, they remain unchanged. Over time, with the addition of more roles, a person can gather unnecessary and insecure rights.

How Privilege Creep Occurs

Simply, privilege creep takes place when users’ privileges are not cleaned out, especially after changing roles. Promoting employees, demoting employees, or carrying out transfers within departments are the major cause of access creep.

For example, a manager is hired and granted the access rights to the sensitive IT systems in a company. After some months in the position, he is demoted and a new manager is hired to replace him. However, instead of the access rights of the old manager being revoked, he still retains them.

The same scenario can happen when an employee is transferred to another department or an employee is promoted to a higher position. Also, if an employee is granted temporary access permissions to cover for vacations or prolonged absences, and the rights are not rescinded, privilege creep can ensue.

Dangers of Privilege Creep

Privilege creep usually leads to a two-fold security risk to organizations. The first risk occurs when an employee who still has uncleaned privileges gets tempted to gain unauthorized access to a sensitive system.

In most organizations, security incidences take place because of dissatisfied employees attempting to cause damage or just ‘make a point’. If such employees have unnecessary privileges, they can maliciously gain entry into systems away from their immediate work station, making finding them out difficult.

Second, if the user account of an employee with excess privileges is hacked, a criminal can collect more information than if the privileges of the account were not excessive. If an account is compromised, it becomes the property of the attacker, and it is more lucrative if it has excess rights.

How to Avoid Privilege Creep

Carry out access reviews

The best technique of avoiding privilege creep is carrying out frequent, thorough access reviews. The IT department should regularly confirm every employee’s access rights to ensure the unnecessary accumulated privileges are revoked.

If a company has invested in a robust identity and access management system (IAM), undertaking access reviews become less taxing and making decisions concerning employees’ continued access become easier. Implementing an IAM system will ensure granted access privileges are appropriately authenticated and audited.

Importantly, when conducting access reviews, the principle of least privilege should be applied. The permissions granted to users should be limited to the minimal level that enables them to carry out their tasks without any difficulties. For instance, someone in the HR department should not be given the privileges of accessing the organization’s customer database.

Access reviews should be maintained throughout the year, with a frequent rotation in every department within the company. Every employee, from the CEO to the lowest-ranked, should have their access permissions periodically reviewed, especially when there is a change in roles.

Communication of changes in roles

In case any employee changes roles, it should be promptly communicated to the IT department. If formal notification is not done, the IT department may not revoke the employee’s access rights, which can lead to harmful consequences.

So, the HR department should work together with the IT department to avoid such lapses, and enhance the security of the company’s infrastructure.

Ensure privileges are aligned

By ensuring the privileges of each employee are aligned to their specific roles and responsibilities, it becomes easier to prevent this creeping monster.

In the company’s employee lifecycle management policy, a comprehensive documented process should be included that clearly outlines the IT-related actions.

In case of any changes to roles, prompt notification should be made to the IT department for updating of the privileges and closure of redundant accounts.

How FolderSecurityViewer Can Help

The task of preventing privilege creep is delicate and demanding. If you try to manually sieve a big number of users’ privileges, it can consume a lot of your time and drain a lot of resources, besides the mistakes and oversights that can ensue.

Therefore, investing in an IAM system can greatly reduce the extensive costs of tackling the security vulnerabilities ensuing from privilege creep as well as misaligned or abused privileges.

For example, the FolderSecurityViewer is a powerful free tool you can use to see all the permissions accorded to users. After analyzing the permissions, you can clean them out, and reduce chances of privilege creep occurring.

First, you’ll need to download the tool from here.

After launching the tool, you’ll need to select the folder you need to review its permissions, and click the entry Permissions Report of the context menu for the magic to start.

  

You’ll then be provided with a comprehensive permissions report containing several things, including the names of users, department of users, and their respective allowed permissions.


If you want to get more information, you can click on the “Access Control List” button and see the various privilege rights accorded to users.

You can also export the permissions report in Excel, CSV, or HTML format, and make more analysis.

 After carrying out the access reviews using FolderSecurityViewer, you can audit identities and permissions to ensure role-based privileges are applied and excessive privileges are revoked.

Conclusion

The FolderSecurityViewer is a wonderful tool you can use to provide you with visibility into the permissions and access rights for your IT infrastructure. This way, you can easily prevent privilege creep and avert costly security breaches from occurring.

5 Best Free Tools For NTFS Permissions Reporting

NTFS Permissions reporting is a good way of auditing the level of access that users have on files and folders so that maintaining NTFS folder security is enhanced.

Managing folders is a difficult task since it requires constant monitoring of the NTFS permissions to avoid unauthorized access. However, if you have a good tool, you can conveniently present easy-to-read reports listing the permissions granted to a user or a group of users.

Here are five free tools that will save your time and headache by giving you easy-to-read folder permissions reports for your analysis.

1. Tool: NTFS Permissions Reporter

The NTFS Permissions Reporter (the free version) by Cjwdev is an excellent tool that allows you to export file and folder permissions for further reviewing.

You can download the tool from here.

Once installed, you can right click on any folder in your Windows Explorer and select the “Report Permissions” option. Thereafter, you’ll be directed to the tool’s main page for you to see the various permissions associated with the folder.

Here are some of the key features of the free version of the tool.

  • Colorized report results—After selecting the folder you want to view its NTFS permissions by clicking “Add” and clicking “Run Report”, you’ll be presented with a report of the permissions in various colors, allowing you to make a proper analysis. For example, Full Control permission is colored in red while Read and Execute permission is colored in green.

  • Varied reporting formats—depending on your preferences, you can choose either the tree-based or the table-based report format. You can change the format on the “View” tab or by checking one of the radio buttons on the lower section of the tool.

  • Ability to show group members—the tool has option that allows you to view members of groups directly within the released report. You can activate this feature by checking the “Show members of groups” button as well as the associated buttons.

The NTFS Permissions Reporter exports the folder permissions reports as HTML files. Just click the “Export Report” button to export the results.

Here is an example of a report.

2. Tool: Netwrix Effective Permissions Reporting Tool

With this freeware tool, you can easily get comprehensive reports regarding the users with different levels of access permissions in your active directory domain as well as file/folder shares.

You can download the tool from here.

To use the free tool, you’ll need to click the “Add” button.

A window will pop up asking you to specify the network resource for checking its effective permissions—either Active Directory or File Path.

Then, click “Start Scanning” and the results will be delivered in an HTML file.

Here are some of the key benefits of the tool.

  • Gain control over permissions—with the tool, you can view file and folder permissions in a single report, together with details of whether the permissions were allocated explicitly or through inheritance.

To see the inherited permissions in the results report, check the “List objects with inherited permissions” button.

  • Limit excessive permissions—you’ll get comprehensive information you can utilize to revoke unwarranted access rights and therefore ensure users do not gain excessive permissions.
  • Ensure compliance— The Netwrix effective permissions reporting tool can help you gather proof that every permission corresponds with the stipulated employee roles in the organization.

Here is an example of a report generated using the tool.

3. Tool: Permissions Reporter

The Permissions Reporter (the free version) by Key Metric Software is another powerful tool you can use for scrutinizing Windows NTFS file systems.

You can download the tool from here.

Although this tool looks like Cjwdev’s NTFS Permissions Reporter, it has more features and a better-looking interface.

Here are some of its key features.

  • Folder Permissions Tree—to get the folder permissions report, you’ll need to click “New Project” button, and follow the prompts. Thereafter, you’ll be presented with a hierarchical view of the NTFS permissions in various colors on the Folder Permissions Tree, allowing you to make proper analysis.

  • Folder Permissions Report—this section gives a “flat” view of folder permissions, together with advanced sorting, filtering, and grouping options. This way, you can conveniently retrieve the report you want.

  • File Permissions Report—here, you can see files with permissions not inherited or not the same with their parent folder. You’ll also get other advanced capabilities to easily retrieve the report you want.

  • Other Reports—the File Owner Report allows you to assess how users and file types are consuming the available disk space.

And, the Share Permissions Report gives a quick glance on the levels of access accorded to various users.

If you want to export the report data, just click the “Export” button.

The report will be given in HTML file format. Here is an example of a report.

4. Tool: SolarWinds Permissions Analyzer

This is a handy tool that allows you to get instant visibility into the permissions accorded to various users and groups. With this free tool, you can get comprehensive information about NTFS and share user permissions with just a few clicks.

You can download the tool from here.

Although SolarWinds Permissions Analyzer does not allow you to export folder permissions reports, you can achieve several things with it, including:

  • Quickly identifying the level of permissions accorded to a group or a user. To do this, you’ll need to insert the name of the group or user in the “Group or User” section, browse the specific file or folder, and click “Analyze”.

  • Conveniently analyzing how the permissions granted to a user are inherited. If you click the plus button, you’ll get further details on the inherited permissions.

5. Tool: FolderSecurityViewer

This is a versatile, free tool that will enable you to get reliable reports on the NTFS permissions accorded to your folders and shares.

You can download the tool from here.

In terms of ease-of-use and speed, the FolderSecurityViewer is clearly ahead of the other free tools.

Here are some key features of Permissions Report section of the tool:

  • Easy-to-read report—you will be provided with a well-presented report detailing the security settings of the specified folder in your Windows environment. You can also sort the report to get the specific details you require.

For example, you can click the “Access Control List” button at the bottom of the tool, and a window will pop up providing the levels of privileges given to various users.

  • Compare folders—you can trace differences in the security settings existing between the present folder and its lower folder hierarchy.

  • Traverse nested groups— the FolderSecurityViewer will traverse nested Active Directory groups to ensure that all the permissions associated with the folder are reported.
  • Different reporting formats—depending on your preferences, you can export the folder permissions report as excel, CSV, or HTML. Just click the small button at the top of the tool, and the options will pop up. In the free edition only HTML reports are enabled.

 

 

  • Exporting —Here is an example of a report in an excel sheet:

FolderSecurityViewer reports the permissions owner in a nice formatted Excel report.

  • Active Directory Group Browser —With this nice feature you can show group members (direct and nested) 
    directly out of your NTFS Permissions Report. Just click any AD group in Access Control List view to show the group members and even walk through all nested Active Directory groups to gather all needed informations. Using this feature every data owner can have a deep insight in given permission structures without the need of using Microsofts built-in tools nor having special permissions to use them.

Show group members (direct and nested) directly in your reports.

  • Save and Load Reports / Compare Reports —These features are only offered in the Company Edition of this tool. Save any report to load it again at a later time for deeper analysis is offered either using the built-in database or by configuring an external database (MS SQL Server). In latter version you can share your reports with other users. Using the Compare Report feature you can compare any saved NTFS Permissions Report to show the differences between them. Here is an example:

Compare any saved NTFS Permissions report and show the differences.

But FolderSecurityViewer offers some more reports in the Free Edition:

  • Share Report— In Share Report you can scan the network for all servers providing share services. You can select Computer Accounts from Active Directory, too or add the servers manually. Selecting a share lists all details and the assigned share permissions. Even you can generate a NTFS Permissions Report from this point.

Lists all shares of a server

  • Folder Report— In Folder Report you can see all sub-folders of a specific folder, as well as their owner, size and file count, in a flat list.

list all sub-folders of a specific folder, as well as their owner, size and file count, in a flat list.

  • Owner Report— In Owner Report you can see all folders within a specific share or folder where the owner of it is a specific user. Here you first select a user principal from Active Directory, and then select a share or a folder where to search.

List all folders with a specific owner set.

Conclusion

The security of the data in your network is important. With a good NTFS Permissions reporting tool, you can easily identify the level of access privileges accorded to different users, allowing you to proactively prevent misuse and data breaches.

With any of the above free tools, you can conveniently stay on top on the permissions granted to users and guarantee the safety of your network.

Prevent Unauthorized Access to Sensitive Windows Folders!

If you want to give FolderSecurityViewer’s Free Edition a try, you can request your download here: NTFS Permission Reporter