Educause Security Discussion mailing list archives
Re: RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing
From: "Miller, Don C." <donm () UIDAHO EDU>
Date: Wed, 24 Feb 2010 12:45:53 -0800
I forgot to mention you can use icacls to audit permissions for your filesystem. JRB software has their jrbutils for AD/Netware and the netware filesystem tools can export as cacls/icacls commands (if I remember correctly). We opted against this to comply with permission control policies with the university. Don -----Original Message----- From: Miller, Don C. Sent: Wednesday, February 24, 2010 11:53 AM To: The EDUCAUSE Security Constituent Group Listserv Subject: RE: [SECURITY] RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing We only allow permissions to be set at a specific level in our shared content and it must be group based. This was to address the exact problem below with migrating from netware to a non-netware NTFS-aware solution. This rigid control also allows our first level support to be able to assess permissions simply by group membership without any rights to the filesystem. We also use a common prefix for our 'shared spaces' of ss- groups. We try to follow Microsoft's AGDLP so the "ss" groups are DL and we nest functional global groups. Example: User: jvandal Group Members: helpdesk-employees Shared Space Group: ss-filesystem1-helpdesk (helpdesk-employees is a member) Rights are assigned to ss-filesystem1-helpdesk The Help Desk can easily view the nested "ss-" groups for jvandal to identify all the shared spaces he has access to. This requires not allowing any permission controls for end users. We have a method for delegating group management to owners in each department via our self-service web tools. Our migration, last year, with this method went smoothly. The only trouble was saying "no" to customers who previously had very odd organizing habits for their shared spaces. The other side benefits are the ss- groups are mail enabled so we can easily send email to specific share/folder users. Don Miller University of Idaho -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Will Froning Sent: Tuesday, February 23, 2010 9:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing Hello All, On Tue, Feb 23, 2010 at 2:02 AM, Chris Green <cmgreen () uab edu> wrote:
Try: http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx AD does do a good job of displaying what GROUPS someone is a member of so if you can enforce most permissions are done by group, you can take care of most of your typical edge cases. However, it just takes one lazy ACL to get that to be a "scan everything". On the same topic, anyone know a simple way to do similar for SharePoint?
I've never used this, but I think it does what you both need: <http://www.scriptlogic.com/products/enterprisesecurityreporter/> Having said that, we use group-based share permissions. So we don't really mess with NTFS. It puts more of the onus on central IT for the initial setup, but we know/think it's done right. Thanks, Will
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Conlee, Keith Sent: Monday, February 22, 2010 3:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing TOPIC: Security and File Sharing using Microsoft Active Directory (AD) I apologize for resending this message. The first time my Subject line was the generic date/time of issue of the current Security Digest and not about the topic of the text I posted. We implement file sharing with Novell but will soon be migrating off of Novell and implementing file sharing with AD. With Novell file sharing the files/folders a user has access to are attributes of the user's Novell account (under the "Memberships", and "Rights to Files/Folders" tabs). So it is very easy to find out what shared files/folders a user has access just by looking at what in recorded in the user's individual Novell account information. BUT with implementing file sharing with AD, the designation of what files/folders a user has access is an attribute of each file or folder (at Properties->Security tab). So with AD file sharing it is extremely difficult to know what files/folders an individual user has access to without going to each shared file/folder in the system and look to see if the user has access to it. HELP! QUESTION: Is there a utility or a methodology out there somewhere that can be run against an AD file sharing implementation that I can execute with "user ID" variable that will generate a report of what files/folders the specified "user ID" has access to? Thanks for any help you can give. If you just want to contact me directly, my contact information is below. Keith Conlee, CISSP, CBCP Chief Security Officer, IT College of DuPage 425 Fawell Blvd. Glen Ellyn, IL 60137-6599 Ph. - 630.942.3055 Fax. - 630.790.0325
-- Will Froning Unix SysAdmin Will.Froning () GMail com MSN: wfroning () angui sh YIM: will_froning AIM: willfroning
Current thread:
- Re: RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing Will Froning (Feb 23)
- <Possible follow-ups>
- Re: RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing Miller, Don C. (Feb 24)
- Re: RESENT - File Sharing with Active Directory (AD) - migrating off of Novel File Sharing Miller, Don C. (Feb 24)