*Pro Tip: the Domain Users group can be nested inside other groups including local groups leading to a much larger list of open access groups to watch out for. This type of access is most often granted through 3 different security groups on the folder’s access control list (ACL).
Open access or global access is where everyone or nearly everyone within the company has access to a set of unstructured data such as a file share, folder or files. Today, we will review how simply remediating open access does not mean you are following a least privilege access model or even that you can manage the data effectively after the cleanup. We wanted to remove the audit finding of open access, not some half-baked approach to accomplishing least privilege access, let alone hand all of our hard work off to the IAM team…ĭoes this scenario sound familiar? Concentrated focus on a particular issue like open access can help simplify goals but can also come at the cost of losing sight of the bigger picture. Wait…what?!! That wasn’t the goal or a part of the project charter. We’d like to hand-off those shares to our Identity and Access Management team so they can manage the business-as-usual process of granting and removing access to users.” “Now that we have completed the open access cleanup, we are now following the least privilege model.
All the open access on the file shares are gone! We had to make changes to nearly half of the folders in the environment but after remediating the permissions on a half billion folders, the security risk is now gone, along with my social life. What a triumph!! After 2 years of after-hours changes, weekend changes, and tens of thousands of reports, phone calls and e-mails, we finally did it.
0 kommentar(er)
