Posts

Managing Data Access on Windows Fileservers: Introduction

Windows fileservers are usually seen as convenient storage systems for managing data access within an organisation.

However, fileservers are a mixed blessing: aside from being effective in providing easy user access, their improper management is often the headache of the IT department.

Unauthorised access to shared data, distortion and even deletion and alteration of files and folders, as well as illicit exfiltration of sensitive data are some of the pains that fileservers cause to most small and large organisations.

Importance of  managing data access on Windows fileservers

Here are five reasons why properly managing data access on Windows fileservers is important.

1. Prevent Privilege Creep

Privilege creep is a security nuisance that occurs when a user gathers excessive access rights than initially intended.

If a user’s access privileges are not revoked, particularly after changing roles within the organisation, it can result into a privilege creep.

For example, if a manager with access rights to important company files is demoted, and the rights are not revoked, he may misuse the privileges and cause major damages.

Why is preventing privilege creep important?

  • An employee with unrevoked privileges can maliciously access important data and bring the company to its knees
  • If an account of an employee with uncleaned privileges is hacked, it can lead to more excessive damages
  • Managing user accounts with excessive privileges is burdensome and costly

2. Prevent Data Breaches

If access to Windows fileservers is not properly managed and unauthorized access prevented, it can result into heavy data loss and theft.

Data breaches are a nightmare to organisations worldwide, with a recent study estimating that they led to losses of about $3,62 million in 2017.

Currently, most organisations have invested in heavy IT infrastructure where a huge number of files and folders are accessed frequently.

In such a scenario, tracking unauthorised access whenever there is inappropriate access to sensitive files and folders becomes difficult, unless there is considerable investment in managing access.

If security logs are regularly examined, network is regularly scanned, and outbound traffic is regularly monitored, it can substantially reduce the potential risks of data breaches.

3. Better Auditing of Sensitive Folders and Files

Properly managing data access on Windows fileservers assists in better auditing and tracking on the usage of sensitive folders and files.

If permissions are granted to users, the actions they undertake, such as file creation or modification, can be tracked.

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\index03-02.png

With proper management, it is easier to get answers to “Who”, “What”, “When”, and “Where” questions concerning any alterations made by any user in Windows fileservers within the network.

This way, if the auditing reveals wrong usage, the permissions can be revoked to ensure security is maintained.

The following example is an illustration of this:

A user group can be granted permissions to “List folder contents”. This permission allows the group to view and list the items present in the selected folder.

However, if the auditing reveals that the user group also has other unintended permissions, they can be revoked and reassigned.

4. Provide complete visibility of fileservers

Practicing proper management provides comprehensive information on every access event taking place across the Windows fileservers.

With complete visibility of every user activity across the organisation’s fileservers, improper settings and security loopholes can be prevented.

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\index02-08.png

The following example is an illustration of this:

If a visibility analysis reveals that “Deny” permissions have been assigned to a folder, it implies that Allow permissions will be overridden, leading to insecure administrative hurdles that are difficult to solve.

Therefore, with complete visibility of the fileservers, such improper settings can be avoided.

5. Saves Time and Efforts

Properly managing data access on Windows fileservers also lessens the wastage of time and energy associated with various fileserver activities.

The following example is an illustration of this:

If a security group is nested it can lead to wastage of time and efforts in keeping track of the various fileserver activities.

In case a group belongs to another group, whose members can access a particular folder, any analysis will be time-consuming and prone to security flaws.

C:\Users\carst\AppData\Local\Microsoft\Windows\INetCache\Content.Word\separated index02-03.png

However, with proper management, considerable amount of time can be saved in ensuring the best practices are observed for optimal network security.

Conclusion

In the next couple of articles, we’ll talk about the five steps to managing data access on Windows fileservers effectively.

Here are the steps we’ll cover: