Step 1: Planning
Designing Folder Structure and Policies for Permission Assignment
Foremost, to successfully manage data access on Windows fileservers, sufficient planning is necessary—or failure could ensue.
Comprehensively planning the designing of folder structures and policies for permission assignment will greatly minimise administrative headaches and maximise productivity.
Planning how to set up folder structure for deployment to your team is indispensable. In the absence of planning, all your efforts to manage data access may fail to yield the desired results.
Incorporating some planning can transform your shared-folder environment into the land flowing with milk and honey.
To successfully and efficiently operate a complex Windows Folder Structure without any hassles or security leaks, you have to take the following points into consideration:
- Plan a folder structure to store the users’ data files (documents, slides, graphics, drawings, etc.)
- Plan the shares
- Plan the Active Directory security groups
- Plan the permissions
Why is Planning the Design of Folder Structure Important?
If there is a lack of definition for any of the above topics or if substantial mistakes are made in the planning phase, the problems that occur during operation will increase with each day.
Thus, you will require more time for operations, analysing problems will become more difficult, and the necessary enhancements will require far more effort to archive.
Most of the time, the only solution will be to plan and create a completely new Windows filesystem environment, which will include a time-intensive data migration into the new folder structure.
The first step is to setup a folder structure and assign the appropriate permissions to that structure. The next step is the long-term daily management and operation of that environment.
Below are some of the real-life situations that a Windows administrator could have a hard time dealing with if a proper folder structure is not designed from the start:
- The project manager urgently needs a new folder added to the project share with permissions set for only the project office.
- The employees in the accounting department change so often that, every day, a new employee needs to have permission assignments while exiting teammates need their permissions removed.
- The boss of the legal department has doubts that his data is secure and requests a list of the data trustees for his folders.
Huge mistakes will make the administrator’s job far more stressful and will force them to do many routine operations and tedious tasks. Such wasted time can be invested in much more useful technologies.
What’s the importance of planning for authorisation concept?
A solid, comprehensive plan will help avoid problems! The key to a secure and stable Windows Share and Folder environment is a solid authorisation concept. If this is in place, you can trust in the security of your data!
It is important to plan for an access authorisation concept before your IT administrators create new data structures within your system, no matter if those structures are for file data, web pages (Microsoft SharePoint), databases (MS SQL Server), applications, mailing lists, or folders (Microsoft Exchange).
If this authorisation concept is missing on all levels, especially for:
a) use cases, such as:
- Permission assignments for users
- Withdrawal of permissions for individual users in individual access areas
- Simple reporting of access rights
b) and business processes, such as:
- Approval processes for data access
- Approval processes for the creation of new objects in the data structure
then, the tasks of day-to-day management and medium-term reporting will no longer be easily implementable.
These tasks will grow increasingly time-intensive as more uncertainties and security risks manifest.
This is a nightmare for every IT administrator and security officer. Therefore, proper planning beforehand is essential.
Creation of a Windows Folder Structure
What kind of plan should you have for smooth daily operations?
The needs of your organisation will likely determine the way you plan for the creation of a Windows folder structure.
If you have a plan that allows for a folder structure that is intuitive and easy to navigate, it will greatly smooth daily operations and maximise productivity.
You should ensure that poor practices and inefficient workflows are not included in your planning.
Here are some questions to consider when planning your structures:
- How should data files get organised? Are users allowed to create folders on their own?
- Who is responsible for moving, owning, and maintaining the data? Whom do I speak to if an employee from one department requests permissions for a folder in a different department?
- How should the shares be designed? For instance, does every department need its own share? Is one share per business domain enough?
- How should the structure for the folders in the Active Directory be built? How should the Active Directory security groups be designed?
- How should I name the shares, folders, and Active Directory security groups?
- Should folder depth be limited? Is it efficient to manage the permissions of folders five levels deep?
- How should users who are assigned to specific folders gain access? Why shouldn’t users be directly assigned to those folders? Do users need different levels of access or are groups suitable?
- How should the files and folders be backed up? How do I guarantee the software will be able to access all the data within the structure?
- Are there any specific security concerns around your shared content?
Do your administrators require full access to users’ content?
To answer these questions, you’ll need to define some policies for permissions assignment:
- Policies for file and folder structures
- Policies for every data owner; that is, who is responsible for which folder
- Policies for shares
- Policies for security groups in the Active Directory
- Policies for naming conventions for shares, folders, and groups
- Policies for folder nesting depth limits
- Policies for permission assignments of users to gain access
- Policies for permission assignments for backup service accounts, operators, and administrators
Here are some real-life examples of defined policies:
- Shares: The amount of shares is not limited.
- Shares: The names should not be longer than 10 characters. Special characters are not allowed.
- Folders: The amount of folders is not limited.
- Folders with Permissions: The name of a folder should not exceed 15 characters. Special characters (_ and ,) are not allowed.
- Permissions: Permissions are assigned to folders, never to shares or files. Only permissions of type “Allow” are allowed. Never assign permissions of type “Deny”.
- Folder Nesting: Only assign security groups permissions to folders in the first or second hierarchy level. Child folders do inherit the permissions of their parent folders.
- Security Groups: For every folder with necessary permissions, an appropriate security group is created in the Active Directory.
- Naming Convention: Name security groups like this: FS_<sharename>_<foldername>[_<foldername>]_<permissions>
- Quota: Every folder with permissions will get a default quota of 100 GB. Enhancements should be requested by the data owner.
- Responsibility: For every folder with permissions, a responsible individual must be defined to manage said permissions. This person will decide who gets which kind of access permissions or quota enhancements.
When your IT team takes all these policies and rules into consideration, you will be able to avoid most of the problems mentioned earlier.
Here are some practices you should follow to ensure quality planning when setting up your structures:
- Define your policies and rules in detail. This step will help you ensure simple administration and smooth daily operations.
- Exceptions must always be documented.
- Never assign permissions to shares. Only assign permissions to the underlying folders!
- Never assign full control to shares or folders. This could lead to administrators accidentally being locked out by users.
- Remove “creator” and “owner” permissions. Having such permissions could lead to lock outs.
- Only assign full control to the folders within the internal system account.
- Plan for your sensitive, confidential data to live towards the top of your structure (at a higher folder level). This way, you can easily restrict unauthorised access.
- To enhance efficiency, ensure the folder structure is as flat as possible. A quick rule of thumb is to set the limit for managed folders to go as far as the third level within your structure. Beyond this level, if users create more folders based on their needs, those folders will not have any permissions assigned to them.
- The IT department should never be the data owners. Any data owners must be an employee of an appropriate department.
- Observe clear, consistent naming conventions for folders. This way, a user can easily search for content without losing focus.
- For external collaboration, create separate and clearly labeled folders. For example, you can create a separate root level folder for communicating with third parties.
- Plan to actively police permissions by frequently cleaning out unnecessary and un-audited permissions.
Click here to download a checklist that will assist you with planning on how to manage data access on Windows fileservers effectively.
In the next step, we’ll talk about defining business processes and responsibilities.