Users with unrestricted access permissions to files and folders are the ultimate target for cyber-criminals. If such accounts are compromised, then the attacker effectively holds the keys to your kingdom. Show Continuous tracking of who has access to what on the File server is a vital part of ensuring that your permissions don’t sprawl out of control. In this article, we will go through the manual ways in which changes made to files and folders can be identified. We will also show you how Lepide File Server Auditor simplified the process. Steps to Track Permissions Applied on Files and FoldersKeeping sensitive data under close surveillance helps keep your network infrastructure in a constant state of security. To do this, event-by-event analysis is crucial. Let’s have a look at the steps you need to take to check who has access to what on the files or folders in your File server: How Lepide File Server Auditor Analyze Current Effective Permissions of Users have on files and foldersWith a comprehensive auditing solution like Lepide File Server Auditor in place, you can easily analyze current effective permissions held by users on files and folders, as well as modifications made to permissions. The following screenshots show our “Current permissions” reports, which let you analyze the current permissions set on shared files and folders:  Our solution allows you to view permissions assigned to everyone, filter and sort the reports, identify stale objects and also indicate if the permission inheritance is broken at that level. The following screenshot shows the user permissions on “test123” folder: Effective permissions on an object are calculated after carefully analyzing and comparing both the NTFS and share permissions being applied. The screenshot given below allows you to analyze the permission flow for an object: All the 13 default permissions are represented using different colors and icons in our reports. The following screenshot displays the effective permissions held by the members of a Group. In addition to the reports shown here, Lepide File Server Auditor generates reports for inherited permissions, direct permissions and indirect permissions. You can also keep track of all changes in the permissions of files and folders and roll back any applied permission. There really is no better way to audit and track permissions in a file server than with Lepide. What’s more, Lepide can add more context to your permissions auditing, by classifying files that contain sensitive data. With this context, you can track who has access to sensitive, regulated data, and get alerts when permissions are changed. Lepide can also suggest whether the applied permissions are excessive based on the data usage patterns of the employee in question. To see more about how Lepide can help you to simplify your file server auditing, start a free trial below: Download Lepide File Server AuditorOn NTFS volumes, you can assign access permissions to files and folders. These permissions h grant or deny access to users and groups. er Basic Permissions u In Windows Explorer you can view basic permissions by right-clicking the file or folder you want to work with, selecting Properties on the shortcut menu, and then in the Properties dialog box selecting the Security tab, as shown in Figure 21-20. The Group Or User Names list shows groups and users with assigned permissions. If you select a group or user in this list, the applicable permissions are shown in the Permissions For list. If permissions are unavailable, it means the permissions are inherited from a parent folder as discussed previously. Inetpub Properties Jjxj General | Sharing Security | Customize | Group or user names:
For special permissions or for advanced settings, click Advanced. Apply For special permissions or for advanced settings, click Advanced. Apply Figure 21-20. The Security tab shows the basic permissions assigned to each user or group. The basic permissions you can assign to folders and files are shown in Table 21-1 and Table 21-2. These permissions are made up of multiple special permissions. Table 21-1. Basic Folder Permissions
You can set basic permissions for files and folders by following these steps: 1 In Windows Explorer, right-click the file or folder you want to work with, and select Properties. In the Properties dialog box select the Security tab, shown previously in Figure 21-20. 2 Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by selecting the user or File Sharing and Security group you want to change and using the Permissions list box to grant or deny access permissions. 3 The Locations button allows you to access account names from other domains. Click Locations to see a list of the current domain, trusted domains, and other resources that you can access. Because of the transitive trusts in Windows Server 2003, you can usually access all the domains in the domain tree or forest. 4 Type the name of a user or group account in the selected or default domain, and then click Check Names. The options available depend on the number of matches found as follows: ■ When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined. ■ When no matches are found, you've either entered an incorrect name part or you're working with an incorrect location. Modify the name and try again, or click Locations to select a new location. ■ If multiple matches are found, select the name(s) you want to use, and then click OK. H 5 To add additional users or groups, type a semicolon (;), and then repeat this process. ^ 6 When you click OK, the users and groups are added to the Name list for the share. hap Configure access permissions for each user and group added by selecting an account ° name and then allowing or denying access permissions. If a user or group should be granted access permissions, select the permission in the Allow column. If a user or group should be denied access permissions, select the permission in the Deny column. 7 When you're finished, click OK. Special PermissionsIn Windows Explorer you can view special permissions by right-clicking the file or folder you want to work with and selecting Properties on the shortcut menu. In the Properties dialog box, select the Security tab, and then click Advanced to display the Advanced Security Settings dialog box, as shown in Figure 21-21. The special permissions available are as follows: • Traverse Folder/Execute File Traverse Folder lets you directly access a folder even if you don't have explicit access to read the data it contains. Execute File lets you run an executable file. • List Folder/Read Data List Folder lets you view file and folder names. Read Data lets you view the contents of a file. • Read Attributes Lets you read the basic attributes of a file or folder. These attributes include Read-Only, Hidden, System, and Archive. • Read Extended Attributes Lets you view the extended attributes (named data streams) associated with a file. As discussed in Chapter 20, "Managing Windows Server o 3" 2003 File Systems," these include Summary fields, such as Title, Subject, and Author, as well as other types of data. • Create Files/Write Data Create Files lets you put new files in a folder. Write Data allows you to overwrite existing data in a file (but not add new data to an existing file because this is covered by Append Data). • Create Folders/Append Data Create Folders lets you create subfolders within folders. Append Data allows you to add data to the end of an existing file (but not to overwrite existing data because this is covered by Write Data). • Write Attributes Lets you change the basic attributes of a file or folder. These attributes include Read-Only, Hidden, System, and Archive. • Write Extended Attributes Lets you change the extended attributes (named data streams) associated with a file. As discussed in Chapter 20, these include Summary fields, such as Title, Subject, and Author, as well as other types of data. • Delete Subfolders and Files Lets you delete the contents of a folder. If you have this permission, you can delete the subfolders and files in a folder even if you don't specifically have Delete permission on the subfolder or file. • Delete Lets you delete a file or folder. If a folder isn't empty and you don't have Delete permission for one of its files or subfolders, you won't be able to delete it. You can do this only if you have Delete Subfolders and Files permission. • Read Permissions Lets you read all basic and special permissions assigned to a file or folder. • Change Permissions Lets you change basic and special permissions assigned to a file or folder. • Take Ownership Lets you take ownership of a file or folder. By default administrators can always take ownership of a file or folder and can also grant this permission to others. Tables 21-3 and 21-4 show how special permissions are combined to make the basic permissions for files and folders. Because special permissions are combined to make the basic permissions, they are also referred to as atomic permissions. Table 21-3. Special Permissions for Folders
Read Extended XXX X Attributes Read Extended XXX X Attributes Table 21-4. Special Permissions for Files o 3" Table 21-4. Special Permissions for Files
You can set special permissions for files and folders in Windows Explorer. Right-click the file or folder you want to work with, and then select Properties. In the Properties dialog box, select the Security tab, and then click Advanced. This displays the dialog box shown previously in Figure 21-21. You now have the following options: • Add Adds a user or group. Click Add to display the Select User, Computer, Or Group dialog box. Type the name of a user or group, and click Check Names. If multiple names match the value you entered, you'll see a list of names and will be able to choose the one you want to use. Otherwise, the name will be filled in for you. When you click OK, the Permissions Entry For dialog box shown in Figure 21-22 is displayed. Figure 21-22. Use the Permission Entry For dialog box to set special permissions. • Edit Edits an existing user or group entry. Select the user or group whose permissions you want to modify, and then click Edit. The Permissions Entry For dialog box shown in Figure 21-22 is displayed. • Remove Removes an existing user or group entry. Select the user or group whose permissions you want to remove, and then click Remove. If you are adding or editing entries for users or groups, you use the Permission Entry For dialog box to grant or deny special permissions. Select Allow or Deny for each permission as appropriate. When finished, use the Apply Onto options shown in Table 21-5 to determine how and where these permissions are applied. If you want to prevent subfolders and files from inheriting these permissions, select Apply These Permissions To Objects And/Or Containers Within This Container Only. When you do this, all the related entries in Table 21-5 are No. This means the settings no longer apply onto subsequent subfolders or to files in subsequent subfolders. Table 21-5. Special Permissions Apply Onto Options
Note When Apply These Permissions To Objects And/Or Containers Within This Container Only is selected, all the values under Applies To Subsequent Subfolders and Applies To Files In Subsequent Subfolders are No. The settings no longer apply onto subsequent subfolders or to files in subsequent subfolders. Continue reading here: Determining Effective Permissions Was this article helpful? |
