Windows Reverification

From: Markiewicz, Douglas (dma2p@allstate.com)
Date: 06/10/02 

From: "Markiewicz, Douglas" <dma2p@allstate.com>
To: "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Date: Mon, 10 Jun 2002 07:44:46 -0500

I am looking to reverify access controls in the Windows environment. There
are two major components involved in the efforts: 1) reverifying access to
global security groups, 2) file system access reverification.

The biggest problem with even getting this effort off the ground is
scalability. We have approximately 16,000+ global security groups all with
different owners based on the area using the global group. Some don't even
have owners listed in AD. All we'd like from the effort is to send an email
or some other notification to the group owner, have them reverify the
members of the group, and send back notice giving an OK with any changes
that have been made. Has anybody done anything like this in the past?

Once this is done, we'd like to perform file system access reverification.
As in, what does any one user have access to on their workstation. Seems
like the best way to do this is to set permission standards based on the
type of access you have. Our base image centralizes most user settings (my
documents, local settings, temp, etc.) so denying write access to everything
but the personal folder would make the effort much more simplified. Not
sure what kind of problems this may bring up though. Thoughts on this as
well?

I haven't found any good documentation from Microsoft on this (e.g. Best
Practices) nor have I found a really good tool to assist in our efforts.
Any feedback would be appreciated.