Step 5: Tooling & Reporting
Tools, Quality Checks, and Reporting
The last step in managing data access on Windows fileservers is implementing proper tooling and reporting. Management of folders through tools, quality checks, and reporting is important for maintaining the integrity of your IT infrastructure.
Without using appropriate tools for checking the permissions, effectively managing folders can be a cumbersome process and prone to security leaks.
A professional folder permissions tool will run a quality check and give a report listing all the users/groups together with their allowed level of access, allowing you to make informed decisions.
Even if you create multiple security groups with permissions for each individual data object, as much as this could seem to be a very large number of groups in the AD (Active Directory), a good reporting tool will make your life a lot easier.
Deploying a reporting tool will minimise any administrative confusions and the advantages will make you have more quality sleep.
Support Using Scripts
Scripts are versatile tools that can be used for managing folder permissions and ensuring their security.
The administration may seem confusing at first glance, but the construction of permissions can be mapped in an Excel worksheet, as explained in the previous chapter.
That is, the administration of permissions can be monitored using a simple Excel table. One can, for instance, create a matrix for every object type (file access, mail distribution, SharePoint access).
By using a simple VBA or PowerShell script, the permissions can be transferred to the AD automatically.
In this way, an administrator does not have to have direct access to the file system. In addition, administrators will no longer have to fight through the AD and the file server ADLs.
By running a script, requests requiring changes in the permission structure can be easily taken care of.
Support Using Tools
There are, of course, comfortable systems for taking care of administration tasks that provide the administrator or person in charge of permissions with a nice UI with many possibilities, especially if none of them have scripting experience.
These tools make it possible for a less-skilled administrator, who does not have a deep knowledge of permissions assignments in the NTFS file system, to carry out administration tasks quickly and easily.
In other words, these tools make it possible for the administrator to have a life without worries, since he/she will no longer need to spend a lot of time administrating groups in the AD and does not have to work on the permissions in the file system again and again.
Instead, the administrator will be able to allot additional time to more meaningful tasks.
Security Analysis and Reporting
When the assignment of groups to folders has been done, it is possible, with some effort, to do manual analyses of the effective permission holders.
Everyone who is a member of a certain group will have a specific access permission to a specific object and, if necessary, its child objects. That means that the access possibilities in each area can be shown by a simple analysis of group memberships.
Here is an example of a simple PowerShell script that lists who can access “Accounting” and which permissions each of them have.
The same is true for persons (Individual Active Directory accounts). An employee is a member of certain access groups.
Because of the uniqueness of the membership, it is possible to show immediately which objects the employee can access and what permissions he/she has.
But what if the security groups are nested? For instance, what if a group is itself a member of another group, whose members have access to a specific folder.
In such a case, the analysis will be more time-consuming and prone to errors, as it is easy to lose track of things in more complex contexts.
As already mentioned, professional tools offer far more possibilities and a more comfortable user interface. In addition, such tools do not require coding expertise and can be provided to the data owner or even directly to users.
Surveys show that only about half of all IT administrators document their work. Thus, many are not documenting how the administration of permissions is taken care of or who, why, when, and where permission was gained or revoked and by whom.
If there is a data security breach or audit, this lack of planning can have serious consequences.
As an administrator, you should ensure you keep updated and audited reports of folder permissions; otherwise, the security consequences could be difficult to contain.
No Tools for Managing Security Rights
Without any tools to manage security rights, you will lack control over your critical infrastructure.
The complexity of IT is constantly increasing. This applies not only to applications, networks, data quantities, and possibilities, but also to globalisation and the use of resources that are not on-site or that have been leased.
Administrators are being confronted with increasing demands and are frequently overburdened and unable to cover the breadth of all of their activities.
Because of that, it is imperative to deploy tools to make the work easier, reduce the effort required, generate automatic documentation, and maintain the integrity of all processes.
Click here to download a checklist that will assist you with implementing proper tooling and reporting
For the previous couple of articles, we’ve talked about the following five steps to managing access on Windows fileservers effectively:
- Defining business processes and responsibilities
- Using security groups for assigning permissions
- Assigning users to active directory security groups
- Implementing proper tooling and reporting
We hope you’ll make use of the steps to take your data access management to the next level.
Do you have any comments or questions?
Please post them below.