If your organization’s network and NTFS shares are not properly structured, you may be leaving open a gaping hole for cyberattacks. Share permissions allow you to access specific folders and files on your computer network. NTFS permissions control your ability to interact with those files (e.g., read, edit, move or delete them).
The best practice for assigning permissions is to use security groups. Groups are created for access to shares, assigned the appropriate rights, and then users are added to the groups. This gives you two-way visibility into network permissions: You can view a group to see who its members are and what permissions they share for a folder or resource. But you can also look at an individual user account and see a list of all of the groups of which they are a member.
TYPICAL CHALLENGES WITH NETWORK SHARES
Assigning rights to individual users: This arrangement is very hard to manage and often results in stale accounts not being cleaned up when employees leave. It is hard to keep track of who has permissions to which files and folders.
Adding groups to groups: This scenario creates a similar problem. With groups and their permissions nested within one another, permissions are hard to track and effectively manage.
Ex-employee permissions live on: The biggest security risk to your network may come from accounts of old employees being compromised by hackers, who can can use them to gain access to everything to which that user had access. While this is an issue of live accounts as well, the difference is that no one is trying to use accounts of past employees, so there is little visibility into changes being made to the account itself. By using security groups, you can simply open the user’s account and see every group they are assigned to and remove access accordingly.
NETWORK AND NTFS SHARE BEST PRACTICES
The more regimented you are with using security groups as the only means to control access to folders and files, the easier your control of the network will be. This goes hand-in-hand with properly structuring the Active Directory on your network.
We recommend creating a security group for each entry point of a share; it should be named in such a way that it is easy to recognize its purpose.
To keep up with changes in employees and their network permissions, we recommend auditing them twice a year. Pay special attention to the accounts of employees who have left the organization. They can become compromised by hackers, who can use them to gain access to everything to which that user had access.
Part of your audit should also focus on files that have been accessed and changed outside of normal business hours. By monitoring your network traffic, you can find patterns that are outliers to your normal business activity. If your office is not 24/7 but access or high network utilization is detected at night, your network may have been compromised.
What condition are your network and NTFS shares in? If you are not sure, please contact River Run to schedule a network audit at 414-228-7474.
Share this article