Tuesday, March 20, 2018

Stay Away from the DUPs


We call them DUPs (rhymes with pups) and we are not referring to duplicates.  What we mean are Direct User Permissions.  In the Microsoft world of CIFS shares you can provision access to folders in three ways:  direct user permissions, Active Directory groups, or through built-in groups such as Authenticated Users.  The problem with adding users directly to the Access Control List of a folder is when things change.  If someone gets a new role in an organization, no one is going back to all of the folders where they are provisioned and removing their access.  The same thing is probably true if they leave the organization.  Even if you disable or delete the user account, the Access Control Entry for that user remains.

Yesterday, in doing a review of the high value targets (the most sensitive HR and compensation folders) for a client, we found people with Full control on some of the folders, even though their accounts were disabled.  In one case, they system admin had left the organization six years ago.  They would have been far better off creating an AD security group and using that for access to the folders.  In that case, they would have deleted him from the group when he moved on from the company.  Then they would have dodged the nasty glare of the auditor.  So, stay away from DUPs and review permissions on your high value folders on a regular basis.

No comments:

Post a Comment