We call them DUPs (rhymes with pups) and we are not
referring to duplicates. What we mean
are Direct User Permissions. In the
Microsoft world of CIFS shares you can provision access to folders in three
ways: direct user permissions, Active
Directory groups, or through built-in groups such as Authenticated Users. The problem with adding users directly to the
Access Control List of a folder is when things change. If someone gets a new role in an
organization, no one is going back to all of the folders where they are
provisioned and removing their access.
The same thing is probably true if they leave the organization. Even if you disable or delete the user
account, the Access Control Entry for that user remains.
Yesterday, in doing a review of the high value targets (the
most sensitive HR and compensation folders) for a client, we found people with
Full control on some of the folders, even though their accounts were
disabled. In one case, they system admin
had left the organization six years ago.
They would have been far better off creating an AD security group and
using that for access to the folders. In
that case, they would have deleted him from the group when he moved on from the
company. Then they would have dodged the
nasty glare of the auditor. So, stay
away from DUPs and review permissions on your high value folders on a regular
basis.
No comments:
Post a Comment