0

I have to enforce NTFS permissions based on business roles. Each role (group in ADS) can be granted the permission to read or write a file server directory. I do not care about share permissions. I care about permissions stored in the NTFS. I have to ensure that the NTFS permissions are compliant to the policy. An entry in the policy could be for example:

  • Users in the Support group have read access to the 'corporate-template' folder and write access to the 'support' folder.
  • Users in the Controlling group have read access to all but the 'management' folders and write access to the 'controlling' folder.

The compliance check should be done automatically. If the compliance check finds any violations of the policy the permissions must be corrected automatically. How can this be done?

As far as I can see Windows does not provide such a functionality. I found some products, which can report NTFS permissions. But I can not find a solution for an automatic reconciliation. What is the preferred way to do such a reconciliation in a Windows domain?

ceving
  • 462
  • 2
  • 7
  • It is unclear if you are asking about a scenario where the user may inherit both read and deny permissions, if so AD should always enforce a deny if any of the permissions are denies. Otherwise, it sounds like you want some type of business logic which is not in AD - e.g., the computer knows the users job role and can determine if they are assigned a role which leads to segregation of duties? Access control is an automated control, so you should not be assigning permissions which go against policy to begin with, please clarify your question. – Eric G Feb 22 '13 at 00:19
  • @EricG I do not understand your comment. I did not say anything about inheritance and I am wondering why you ask for it. I am asking about a way to synchronize ADS groups and folder permissions. I define a mapping between them and the software must enforce the mapping. I want to centralize the permission management based on business roles implemented as ADS groups. The problem is that the ADS functionality ends by putting persons in groups. I need to extend the management to the actual file system permissions. – ceving Feb 22 '13 at 10:44

1 Answers1

1

If access is always through shares, I would advise the use of share permissions. These should be set to allow read/write but not full (so that users cannot change filesystem permissions inside the share) If users have console or TS access that might not be suitable though. But in most cases it is.

The problem with file/folder permissions is that they may or may not be carried over when files are moved from one folder tree to another. It's basically a permissions lottery in this respect, and one which depends on whether the files were moved on the server console or via shares. This situation leads to inadvertent security breaches.

Forget Microsoft's soapboxing about file permissions being superior, it's what works reliably that counts.

If you must use file permissions I would suggest creating a scheduled job using SetACL that resets the permissions to the default for that tree, say every hour.

SetACL: http://helgeklein.com/

IanR
  • 481
  • 4
  • 4
  • Share permissions are problematic if someone gets direct access to the server. The same applies to malware. Thanks for SetACL but how can I link it to the ADS groups? – ceving Mar 08 '13 at 09:08