+49 30 3642803 0 | info@permsecure.com
Modify Permissions – Protect Permission Endpoints in NTFS using Modify Plus
In Microsoft Windows networks, permissions on the file server can be assigned either via share permissions or NTFS permissions. A combination of both types of permissions is also possible. However, NTFS permissions are predominantly used, since access can be controlled more granularly.
As a rule, either the “Read and Execute” or “Change” permission level is assigned as the permission level for users. This ensures that the user is provided with read-only or write-only access to the desired directory.
However, the classic “Modify” permission brings with it a problem.
In this article, we address this problem and provide a solution to secure the permission endpoints in the future.
Content
The Problem with the "Change" Permission
As a rule, IT provides a certain basic structure on the file server. Let’s assume the common case of a department structure: there is usually a separate directory for each department, to which the employees of the department usually get a “Change” permission on the department folder. In this case, the department directory is the permission endpoint (the directory on which the permission finally takes effect).
Permission Endpoint with a "Change" Permission
If you take a look at the extended permissions that combine the “Change” permission, the problem quickly becomes apparent.
"Change" Permission in Detail
This shows that the permission leads to the user being able to delete the directory (“delete” also includes “move” or “rename” the folder).
So this means that the user can “break” the permission endpoint given by IT. So he can move, rename or delete the directory.
This is always a problem for administrators.
Folders often disappear and have to be laboriously searched for in deeper folder structures or restored from the backup because users move or delete them by mistake or deliberately.
Get the Whitepaper!
Deepen your knowledge with our Whitepaper on NTFS Best Practices.
"Modify Plus" as an Alternative to the "Change" Permission
To protect and secure the permission endpoints, you should not use the default “Change” permission. Instead, you should work with a modified “Change” permission, the “Modify Plus”.
"Modify Plus" Permission in Detail
If you look at the extended permissions of a “Modify Plus” permission, you can see that the “Delete” flag is not set here. On the contrary, the “Delete subfolders and files” flag is assigned for “Modify Plus”.
In this way, the administrator ensures that his specified permission endpoint can no longer be damaged by the user. Within the department directory, however, the user is still able to create folders and files, modify them or delete, rename and move them. The main folder (in our example the department directory) itself can no longer be deleted, moved or renamed.
Get in touch with us
Do you have any questions about our products or services? Do you need support?
We will be happy to help you!
Conclusion and Recommendation
In order to secure the permission endpoints, it is recommended to replace the assigned “Change” permissions in the file system with the improved ” Modify Plus” permission.
With our permSUITE and the permWRITER included in it, administrators can optimize the existing permissions to this end. With our permWRITER the permissions can be assigned via the “Modify Plus” permission level.
Afterwards we recommend to keep the optimized and cleaned permissions consistent and valid with a software solution for permanent use. Our Austrian partner tenfold with its identity and access management solution of the same name “tenfold” is also able to assign ” Modify Plus” permissions and thus protect the permission endpoints.
The prior cleanup of the file shares with permSUITE and the subsequent connection to tenfold ensures a permanently secure folder structure.
About the Author
Christoph Schulze is a Senior Consultant at permSECURE. He has been designing and supporting file server projects and helping customers to optimise their authorisation concepts since 2011.
Related Articles
-
Modify Permissions – Protect Permission Endpoints in NTFS using Modify Plus
In Microsoft Windows networks, permissions on the file server can be assigned either via share permissions or NTFS permissions. A combination of both types of permissions is also possible. However, NTFS permissions are predominantly used, since access can be controlled more granularly. As a rule,…
-
Dark Data – About the Data Load and how to face it
In our customer projects, we repeatedly experience a wide variety of file storage structures. But there is always one common denominator: a very high proportion of legacy data. Data is constantly captured, stored and therefore filed. After some time, nobody thinks about the data…
-
Fileserver Migration or Permission Optimization – Best Practice
Almost every company uses fileservers to make data available to employees. Over the years, the amount of data grows continuously. At the same time, the permissions on the individual folder structures are constantly changing. New employees are given permissions, in the best case obsolete permissions…
permSECURE GmbH
Storkower Straße 115 A
10407 Berlin
Germany
Contact
+49 30 3642803 0
info@permsecure.com
MO-FR 08:00–17:00
© 2024 permSECURE GmbH | All rights reserved | Website by .kloos