Sunday, November 13, 2011

The SANS Top 20 Week 9

    This week we will be discussing controlled access. Most people are thinking, you mean like permissions on files? While this is certainly a large part of the picture, it is not the only part of it! Controlled access starts with asking who needs to know? I have often found myself in the position to decide who should have access to information. For the last few years I have fought this freely given power. When someone sends me a message which says, "I can't get into file x" I will typically respond with a few questions. These questions in my mind are the keys to controlling access to information.

    Questions I ask myself.

  1. Who is in control of this data?
    1. Does the user already have access to this data? Many times the answer is yes.
    2. Do I need to ask HR or a department head about this?
    3. Is the data even being stored in the correct place? Is the user trying to share a personal directory?
  2. What level of access is needed?
    1. In windows this is fairly straightforward
    2. Is this access permanent?


     

Questions I ask the user.

  1. When do you need this by?
  2. Does anyone else need access
  3. Who is requesting this?
  4. Have you opened a ticket or sent an e-mail (paper trail people, paper trail)

Ok, so I've made a point of giving out some basic information about what should be asked. This is what I've done in most situations which are not ideal. However, ideally what should happen is the following.

  1. DFS should be used. This gives data redundancy and availability.
  2. All shares should be hidden. While this isn't the end all be all of security it does stop casual browsing.
  3. Knowledge owners should be identified. In other words someone needs to approve these changes.
  4. When possible, setup shares by work area
  5. Drives should be universally understood and applied via script
  6. Access based enumeration should be used
  7. Make sure a process is known to request changes

While access to data is important, remember, just because you have the keys doesn't mean you should open the door!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)