Standard for managing access rights to corporate file information resources
What could be easier than to differentiate the rights to a folder in NTFS? But this simple task can turn into a real nightmare, when there are hundreds, if not thousands of such folders, and changing the rights to one folder “breaks” the rights to others. To work effectively in such conditions requires a certain agreement, or standard, which would describe how to solve such problems. In this article, we just consider one of the options for such a standard.
Scope
The standard for managing access rights to corporate file information resources (hereinafter referred to as the Standard) regulates the processes of granting access to file information resources hosted on computers running Microsoft Windows operating systems. The standard applies to cases when NTFS is used as a file system, and as a network protocol for sharing SMB / CIFS files.
Terms and Definitions
An information resource is a named set of data to which methods and means of ensuring information security are applied (for example, access control).
File information resource - a collection of files and folders stored in the file system directory (which is called the root directory of the file information resource), access to which is restricted.
A composite file information resource is a file information resource that contains one or more nested file information resources that differ from this resource in access rights.
A nested file information resource is a file information resource included in a composite information resource.
The entry point into the file information resource is the file system directory to which the shared folder access is provided and which is used to provide access to the file information resource. This directory is usually the same as the root directory of the file information resource, but it can also be the parent.
Intermediate directory - a file system directory located on the path from the entry point to the file information resource to the root directory of the file information resource. If the entry point to the file information resource is the parent directory of the root directory of the file information resource, then it will also be an intermediate directory.
A user access group is a local or domain security group that ultimately contains user accounts endowed with one of the options for accessing a file information resource.
Basic principles
- Access is limited only at the directory level. Restriction of access to individual files is not carried out.
- Access rights are assigned based on security groups. Access rights are not assigned to individual user accounts.
- Explicit access authority (deny permissions) do not apply.
- Access rights are limited only at the file system level. At the level of the SMB / CIFS network protocols, rights are not delimited (“Everyone” group - “Read / Write” / Everyone - Change powers).
- When configuring network access to the file information resource in the SMB / CIFS settings, the option “Access based enumeration” is set.
- Creating file information resources on user workstations is not allowed.
- It is not recommended to place file information resources on the system partitions of servers.
- It is not recommended to create multiple entry points to the file information resource.
- If possible, the creation of nested file information resources should be avoided, and in cases where the names of files or directories contain confidential information, this is completely unacceptable.
')
Access Control Model
User access to the file information resource is provided by giving them one of the options of authority:
- Access "Read Only ( R ead O nly)".
- Access "Read and write ( R ead & W rite)".
In the overwhelming number of tasks of access control, such access authorization options will be sufficient, but if necessary, it is possible to form new authorization options, for example, “Read & Write without Read (Remove).” To implement the new authorities, it will be necessary to clarify paragraph B.3 of Table 1, otherwise the application of the Standard will remain unchanged.
User Access Group Naming Rules
The names of user access groups are formed by the pattern:
FILE-File Information Resource Name - Authorization Abbreviation
The name of the file information resource
must match UNC resource name or consist of server name and local path (if network access to the resource is not provided). If necessary, abbreviations are allowed in this field. The characters "\\" are omitted, and "\" and ":" are replaced by "-".
Authorization Abbreviations :
- RO - for the Read Only access option
- RW - for the access option "Read and Write (Read & Write)".
Example 1
The name of the access group of users who have “Read only” authority for a file information resource with a UNC name \\ FILESRV \ Report will be:
FILE-FILESRV-Report-RO
Example 2
The name of the access group of users who have “Read and Write” authority for the file information resource hosted on the TERMSRV server on the D: \ UsersData path will be:
FILE-TERMSRV-D-UsersData-RW
Template permissions to directories file information resource
Table 1 - NTFS permissions template for the root directory of the file information resource.
| Subjects | The rights | Inheritance mode |
| Access rights inheritance from parent directories disabled
| ||
| A) Mandatory Rights
| ||
| Special account:
"SYSTEM (SYSTEM)" | Full access
| For this folder, its subfolders and files (This folder, subfolders and files)
|
| Local Security Group:
“Administrators” | Full access
| For this folder, its subfolders and files (This folder, subfolders and files)
|
| B.1) “Read Only ( R ead O nly)” Authority
| ||
| User Access Group:
"FILE-Resource-RO Name" | Basic rights:
a) reading and execution (read & execute); b) a list of the contents of a folder (list folder contents); c) reading (read); | For this folder, its subfolders and files (This folder, subfolders and files)
|
| B.2) The “Read and Write ( R ead & W rite)” Authority
| ||
| User Access Group:
"FILE-Resource Name-RW" | Basic rights:
a) change (modify); b) reading and execution (read & execute); c) the list of contents of the folder (list folder contents); d) reading (read); d) write (write); | For this folder, its subfolders and files (This folder, subfolders and files)
|
| B.3) Other powers, if any
| ||
| User Access Group:
“FILE-Resource Name - Authorization Abbreviation” | Under authority
| For this folder, its subfolders and files (This folder, subfolders and files)
|
Table 2 - NTFS permissions template for intermediate directories of the file information resource.
| Subjects
| The rights
| Inheritance mode
|
| Inheritance of access rights from upstream directories is included , but if this directory is superior to file information resources and is not included in any other file information resource, then inheritance is disabled.
| ||
| A) Mandatory Rights
| ||
| Special account:
"SYSTEM (SYSTEM)" | Full access
| For this folder, its subfolders and files (This folder, subfolders and files)
|
| Local Security Group:
"Administrators" | Full access
| For this folder, its subfolders and files (This folder, subfolders and files)
|
| B.1) Powers of “Passing through a Directory ( TRAVERSE )”
| ||
| Access groups of users of information resources for which this directory is intermediate
| Advanced Security Settings:
a) traverse folders / execute files (travers folder / execute files); b) folder contents / data reading (list folder / read data); c) reading attributes; c) reading additional attributes (read extended attributes); d) read permissions; | Only for this folder (This folder only)
|
Business processes to control access to file information resources
A. Creating a file information resource
When creating a file information resource, the following actions are performed:
- User access groups are created. If the server hosting the file information resource is a member of a domain, domain groups are created. If not, groups are created locally on the server.
- Access rights are assigned to the root directory and intermediate directories of the file information resource according to the access rights templates.
- User accounts are added to user access groups in accordance with their permissions.
- If necessary, a network folder (shared folder) is created for the file information resource.
B. Granting user access to a file information resource.
The user account is placed in the appropriate user access group, depending on his credentials.
B. Changing user access to file information resource
The user account is moved to another user access group, depending on the specified privileges.
D. Blocking user access to file information resource
The user account is removed from the user access groups of the file information resource. If the employee leaves the group membership does not change, and the entire account is blocked.
D1. Creating an attached file information resource. Access expansion
This task occurs when a certain directory of a file information resource must be granted access to an additional group of persons (to expand access). The following activities are carried out:
- Registers file information resource (as per process A)
- The user access groups of the superior composite file information resource are added to the user access groups of the attached file information resource.
D 2. Creating an attached file information resource. Narrowing access
This task arises when it is necessary to restrict access to a certain directory of a file information resource and give it only to a limited group of persons:
- Registers file information resource (as per process A)
- The user access groups of the information resource being created contain those user accounts that need to be granted access.
E. Changing the model of providing access to the file information resource
In cases where the standard options for the authorities "Read only (Read only)" or "Read and Write (Read & Write)" need to add new types of permissions, for example, "Reading and writing, except deleting (Read & Write without Remove)" perform the following actions:
- Organizational (or technical, but not related to changing access rights to file system directories) block users from accessing this and all attached file information resources.
- The new access rights are assigned to the root directory of the file information resource, and the access rights for all child objects are replaced (legacy is activated).
- Access rights for all information resources are migrated.
- Intermediate directories are configured for this and embedded information resources.
Examples
Consider the application of this standard on the example of the hypothetical organization LLC InfoCryptoService, where a server with the name FILESRV is allocated for the centralized storage of file information resources. The server runs under the Microsoft Windows Server 2008 R2 operating system and is a member of the Active Directory domain with the FQDN named "domain.ics" and the NetBIOS name "ICS".
Preparing the file server
On the disk “D:” of the server “FILESRV” we create the directory “D: \ SHARE \”. This directory will be the single entry point to all file information resources hosted on this server. Let's organize network access to this folder (we use the Share and Storage Management applet):
 |  |
Creating a file information resource
Formulation of the problem.
Suppose that the organization of InfoCryptoService has an Information Systems Development Department consisting of: Head of the Department Ivanov Sergey Leonidovich (SL.Ivanov@domain.ics), Markin Lev Borisovich specialist (LB.Markin@domain.ics), and they need to be organized file information resource for department data storage. Both employees need read and write access to this resource.
Decision.
In the “D: \ SHARE \” directory of the “FILESRV” server, create a folder “D: \ SHARE \ Information Systems Development Department \”, which will be the root directory for the file information resource. We will also create user access groups (global security groups of the ICS domain) for this resource:
- “FILE-FILESRV-SHARE-Div. razr. IS-RO »
- “FILE-FILESRV-SHARE-Div. razr. IS-RW »
Set up permissions for the “D: \ SHARE \ Information Systems Development \" catalog:
Dump NTFS permissions received by the cacls command:
ICS\FILE-FILESRV-SHARE-. . -RO:(OI)(CI)R
ICS\FILE-FILESRV-SHARE-. . -RW:(OI)(CI)C
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
The D: \ SHARE \ directory is the entry point and intermediate directory for this resource. Add the rights to pass (Traverse) for groups: “FILE-FILESRV-SHARE-Sep. razr. IS-RO "and" FILE-FILESRV-SHARE-Sep. razr. IS-RW »
Dump NTFS permissions received by the cacls command:
ICS\FILE-FILESRV-SHARE-. . -RO:R
ICS\FILE-FILESRV-SHARE-. . -RW:R
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
Since users need access to read and write, we add their account reserves in the group “FILE-FILESRV-SHARE-Sep. razr. IS-RW »
Granting user access to a file information resource
Formulation of the problem.
Suppose that another one employee was taken to the development department - Mikhail Vladimirovich Egorov (MB.Egorov@domain.ics), and he, like the rest of the department, needs access to read and write to the file information resource of the department.
Decision.
The employee’s account must be added to the FILE-FILESRV-SHARE-Sep. razr. IS-RW »
Creating a nested information resource. Access expansion
Formulation of the problem.
Suppose the Information Systems Development Department decided to improve the quality of interaction with the Marketing Department and to provide the head of the latter, Kruglikova Natalya Evgenievna (NE.Kruglikova@domain.ics) - read access to the current product documentation stored in the “Documentation” folder of the file information resource of the Department development of information systems.
Decision.
To solve this problem, it is necessary to make an embedded resource "\\ FILESRV \ share \ Information Systems Development Department \ Documentation", which all users who have access to \\ FILESRV \ share \ Department should have access to read and write development of information systems \ and add read access for Kruglikova Natalia Evgenievna (NE.Kruglikova@domain.ics)
In the “D: \ SHARE \ Information Systems Development Department \” directory, create a folder “D: \ SHARE \ Information Systems Development Department \ Documentation”, which will be the root directory for the new resource. We will also create two user access groups:
- “FILE-FILESRV-SHARE-Div. razr EC-Documentation-RO »
- “FILE-FILESRV-SHARE-Div. razr EC-Documentation-RW »
Configure access rights to the folder "D: \ SHARE \ Information Systems Development Department \ Documentation" as follows:
Dump NTFS permissions received by the cacls command:
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
ICS\FILE-FILESRV-SHARE-. . --RO:(OI)(CI)R
ICS\FILE-FILESRV-SHARE-. . --RW:(OI)(CI)C
Since all users who have access to "\\ FILESRV \ share \ Information Systems Development Department \" need the same access to \\ FILESRV \ share \ Information Systems Development Department \ Documentation, we’ll add the group "FILE-FILESRV-SHARE-Sep . razr. IS-RO "in" FILE-FILESRV-SHARE-Sep. razr EC-Documentation-RO "and" FILE-FILESRV-SHARE-Sep. razr. EC-RW "in" FILE-FILESRV-SHARE-Sep. razr. EC-Documentation-RW, respectively. Let's add the Kruglikova Natalya Evgenievna’s account (NE.Kruglikova@domain.ics) to the FILE-FILESRV-SHARE-Sep. razr EC-Documentation-RW »
Now, if Natalia Kruglikova (NE.Kruglikova@domain.ics) contacts the link "\\ FILESRV \ share \ Information Systems Development Department \ Documentation", then she will be able to get into the folder of interest, but it’s not always convenient to use therefore, we will configure a pass-through to this pack from the entry point "\\ FILESRV \ share \" ("D: \ SHARE \"). To do this, set up access rights to intermediate directories "D: \ SHARE \" and "D: \ SHARE \ Information Systems Development Department \".
Perform the setting "D: \ SHARE \":
Dump NTFS permissions received by the cacls command:
ICS\FILE-FILESRV-SHARE-. . -RO:R
ICS\FILE-FILESRV-SHARE-. . -RW:R
ICS\FILE-FILESRV-SHARE-. . --RO:R
ICS\FILE-FILESRV-SHARE-. . --RW:R
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
and "D: \ SHARE \ Information Systems Development Department":
Dump NTFS permissions received by the cacls command:
ICS\FILE-FILESRV-SHARE-. . --RO:R
ICS\FILE-FILESRV-SHARE-. . --RW:R
ICS\FILE-FILESRV-SHARE-. . -RO:(OI)(CI)R
ICS\FILE-FILESRV-SHARE-. . -RW:(OI)(CI)C
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
Creating a nested information resource. Narrowing access
Formulation of the problem
In order to organize the backup of the developments of the Information Systems Development Department, the Head of the Department, Ivanov Sergey Leonidovich (SL.Ivanov@domain.ics), as part of the file information resource of the department, needed the network folder “Archive”, which only he could have access to.
Decision.
To solve this problem in the file information resource of the department, you need to make an embedded resource "Archive" ("\\ FILESRV \ share \ Information Systems Development Department \ Archive"), access to which should be given only to the head of the department.
In the “D: \ SHARE \ Information Systems Development Department \” directory, create a folder “D: \ SHARE \ Information Systems Development Department \ Archive”, which will be the root directory for the new resource. We will also create two user access groups:
- “FILE-FILESRV-SHARE-Div. razr. IS-Archive-RO »
- “FILE-FILESRV-SHARE-Div. razr. IS-Archive-RW »
Perform settings for access rights to the directories "D: \ SHARE \ Information Systems Development Department \ Archive":
Dump NTFS permissions received by the cacls command:
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
ICS\FILE-FILESRV-SHARE-. . --RO:(OI)(CI)R
ICS\FILE-FILESRV-SHARE-. . --RW:(OI)(CI)C
"D: \ SHARE \ Information Systems Development Department"
Dump NTFS permissions received by the cacls command:
ICS\FILE-FILESRV-SHARE-. . --RO:R
ICS\FILE-FILESRV-SHARE-. . --RW:R
ICS\FILE-FILESRV-SHARE-. . --RO:R
ICS\FILE-FILESRV-SHARE-. . --RW:R
ICS\FILE-FILESRV-SHARE-. . -RO:(OI)(CI)R
ICS\FILE-FILESRV-SHARE-. . -RW:(OI)(CI)C
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
and "D: \ SHARE \":
Dump NTFS permissions received by the cacls command:
ICS\FILE-FILESRV-SHARE-. . -RO:R
ICS\FILE-FILESRV-SHARE-. . -RW:R
ICS\FILE-FILESRV-SHARE-. . --RO:R
ICS\FILE-FILESRV-SHARE-. . --RW:R
ICS\FILE-FILESRV-SHARE-. . --RO:R
ICS\FILE-FILESRV-SHARE-. . --RW:R
NT AUTHORITY\SYSTEM:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
The user account of Sergey Ivanov Ivanov (SL.Ivanov@domain.ics) will be added to the FILE-FILESRV-Ind. Group. RIS. Archive-RW.
Source: https://habr.com/ru/post/281937/
All Articles