Re: Access Management on file shares and client-server apps



On 2011-11-14 krymson@xxxxxxxxx wrote:
Including "desktop client-server applications" may confuse the issue
quite a bit. I'll read this as: You want to find a way to audit and
maybe track changes to permissions settings on Microsoft folders.
(I'll ignore share permissions, since share permissions should just be
open and NTFS is where you should be explicit; but that itself is an
arguable viewpoint...)

It's been years since I used it, but I always liked ScriptLogic's
Enterprise Security Reporter. It should be able to scan a folder
location, interrogate the NTFS permissions, and generate a nice report
that tells you all the effective permissions. I can't comment on how
it tracks changes.

If you're good about managing NTFS permissions properly by never
assigning explicit AD *user accounts* permissions to folders and
instead only assigning AD *groups* (that users are members of) to
folders, you could get away with just interrogating AD groups and
memberships. At that point you'll be looking at Active Directory
change management/audit tools that tell you when new groups are made
and when those groups are modified with new or removed users (or track
user changes similarly).

Monitoring changes to AD groups is not sufficient if the task is to
track changes to permissions on files or folder. Even if you properly
handle access through group memberships, there's still the possibility
that permissions for some group were added to or revoked from a file or
folder.

If you want to track changes to permissions, SACLs are the way to go
(see e.g. [1]). If you want to analyze the current permissions, there is
a variety of tools you can use, like ntfsacls [2], DumpSec [3], or my
own script AuditACLs.vbs [4] (if you'll forgive the shameless plug).

[1] http://www.windowsitpro.com/article/permissions/auditing-permission-changes-on-a-folder
[2] http://www.coopware.in2.info/_ntfsacl.htm
[3] http://www.systemtools.com/somarsoft/
[4] http://www.planetcobalt.net/sdb/auditacls.shtml

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Re: Access Management on file shares and client-server apps
    ... maybe track changes to permissions settings on Microsoft folders. ... handle access through group memberships, ...
    (Security-Basics)
  • Re: Track changes bug
    ... If repairing permissions doesn't improve the situation - and I doubt that it ... Happens when I open a document with Track Changes. ... with .doc files does create additional problems). ... I always install updates as they come along, so OSX and Office 2008 are ...
    (microsoft.public.mac.office.word)
  • Re: NTFS Security Question.
    ... A subordinate object DOES not inherit the PARENT perms (in ... will assume "Nebulous" permissions that refer to the LINK ... The trick is to PROPOGATE to all FILES (not Folders and Files - that would ... Since Windows 2000 deny NTFS permission does not work ...
    (microsoft.public.windowsxp.security_admin)
  • RE: ISA 2004 REPORT FAILURE
    ... Did as you suggested and turned auditing on for the system and folders ... that is setting the wrong permissions of the folders ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA 2004 REPORT FAILURE
    ... the ISA Reports still fail because ... I can change the permissions manually ... on the ISALogs and ISASummaries folders ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)