Step 4: Assignment of Users
Assignment of Users to Active Directory Security Groups
The fourth step in managing data access on Windows fileservers is properly assigning users to active directory security groups. If this is not done correctly, it can lead to unauthorised access to shared data and critical losses to your IT infrastructure
Security should be implemented through well-defined groups. Users should be assigned to groups and the groups granted the rights to access the folders.
This way, the users enjoy access to the folders based on the group privileges. Since it’s easier to maintain the integrity of your systems by managing groups than individual users, users should never be granted access rights to folders directly.
In most cases, ordinary users should not be assigned Full Control permissions. This permission level is a huge security risk because users can misuse it. Worse still, if it gets into the hands of attackers, it can lead to heinous consequences.
It is recommended to implement a least privilege permission level and minimise the permissions required to allow access. Usually, Read and Write permissions are sufficient to allow users to complete most tasks.
The basis for the assignment of users to folders is a rather complex question and answer game.
For each folder that needs to be protected with permissions, ask the person responsible for the data which users should receive which access rights. Please follow the processes described in the previous chapter.
You can use a permissions matrix to help in gathering necessary data and providing documentation for the permissions assigned to users. These matrixes can easily be made using an Excel table.
For each folder that needs its own permissions, make a row. In the columns, the users that have access to the folder will be recorded. The necessary permissions can be specified with a “W” for “Write” permissions and an “R” for “Read” permissions.
With this matrix as a starting point, you can plan and create security groups within the Active Directory and assign users to the appropriate groups.
These tables should ideally be administrated directly by the person responsible for the data in question (the data owner).
A matrix should be created and maintained for each department. Otherwise, a very large matrix should be used to administrate the permissions for all departments, in which case other persons should not be allowed to change the content of cells.
Importantly, once the matrix has been created, it is essential to implement a continuous authorisation process in which the assigned permissions are audited. This way, the data permission integrity will not be compromised.
If an authorisation process is not adopted, it can make the permissions to revert to their previously chaotic state and cause security risks, such as privilege creep.
An employee from Human Resources needs to read the vacation lists from Sales. This is stored in: “\\Department\sales\planning”
So that the HR employee does not gain access to the entire “Sales” folder and subfolders, he/she must first be put into the LIST Group for that folder. By using this step, the HR employee can open the “Sales” folder, but cannot read or change data. At that point, the HR employee must be assigned to the group “FG Sales Planning R”, which granted them “Read” permission for the subfolder. That employee will then be able to access the subfolder planning and read the data within.
In short, this “LIST” permission allows someone to “take a walk” through a closed area.
No Assignment of Individual Permissions
As earlier mentioned, you should never assign individual permissions to users. Using security groups to control access to critical data minimises the risks of direct permissions and ensures easy management.
However, the permission structure is not always as simple as the company structure. Often, it will be necessary to create permissions that originate outside of the data area.
For instance, it might be necessary for an HR employee to have access to the company’s personnel planning table, which is located in the data area of “Sales”.
In this case where sensitive information should only be accessed by a specific individual, the IT administrator should not assign the HR employee to the Sales group. Instead, the administrator should provide that employee with permissions for this folder as an individual or even provide only the permission for a single file.
Failing to assign rights well will have fatal consequences:
- If a search is to be done to find out where an uncooperative user has access permissions, it would have to be conducted on all servers, which is a difficult and demanding task.
- If an employee changes their area of work or department, it is no longer easy to know which permissions must be changed. If there is no documentation, no one will know what permissions that employee had.
- If an employee leaves the company and their account is deleted, then an “SSID corpse” (an unreadable identification code no longer be associated with a person) will remain in the ACL list of the folder.
Click here to download a checklist that will assist you with assigning users to active directory security groups.