Management of Active Directory is commonly delegated to local or departmental administrators.  This means that certain individuals are (for example) granted permission to create user accounts and manage security groups within a given area of the directory.  Microsoft provides a built-in wizard (known as the Delegation of Control Wizard) to delegate these tasks which does the work of applying all the underlying permissions associated to the task.

For example, here are just a few of the many underlying permissions granted when you delegate the task [Create, delete, and manage user accounts] over an OU:

• List Contents
• List Object
• Delete Object
• Delete Subtree
• Read Permissions
• Read All Properties
• Modify Permissions
• Modify Owner
• etc.

There are potentially hundreds of underlying permissions for any given delegated task.  The challenge, therefore, lies in being able to understand and report-on which rights have been delegated over time.  How do you know who has been delegated those permissions?  How do you know when underlying permissions are updated after the wizard has applied the task?  Or when rights are applied directly without using the wizard?  How do you know who has rights to create accounts through their group memberships when groups may be several levels deep?

NetVision’s Access Rights Inspector has built-in ability for in-depth reporting on rights over Active Directory objects and that includes reporting on the tasks delegated via the Delegation of Control Wizard.  It provides extremely useful reports and removes the guesswork and manual effort associated with understanding what tasks have been delegated throughout Active Directory.

NetVision has heard from its customers loud and clear that the holy grail of compliance reporting is enabling actual answers rather than just piles of data.  In this SC Magazine article, titled Answers, Not Data: The Key to Access Security, NetVision CEO David Rowe explains how next generation compliance solutions will be focused on answers and continuous audit rather than periodic audits that generate confusing or obfuscated data sets.

At NetVision, we hear from numerous organizations who are looking for help with cleaning up permissions that have gotten out of control over time.  David Rowe explains the challenges and provides some tips on how to tackle the job in this ESJ article titled Coming Clean: Getting a Handle on Permissions and Group Memberships.

A recent edition of NetVision’s monthly newsletter AuditMonthly discussed the issues of permission bloat and group clean up.  There are some focus areas outlined in one of our solutions pages: Active Directory Group Clean Up.  We can help you get your arms around the issue, identify low hanging fruit, and clean things up.

NetVision today released an updated version of Access Rights Inspector Single Server Edition.  The new version applies a fix to issues related to large volume size and the initial file/folder rights scan.  The SSE version is a free 30-day trial providing access rights reports on a single server. 

Access Rights Inspector SSE enables users to select user accounts/groups and files/folders to generate custom reports on access rights based on those selections.

Available Reports include:

• Effective Rights: calculates permissions based on group memberships, inherited rights, ownership, and more.
• Explicit Rights: provides explicit permission settings for selected accounts and resources.
• Deny ACEs: provides a list of all locations where permissions are explicitly denied.

Click here to download a copy to get immediate reports on your server!

In a new paper for NetVision customers titled Active HIPAA Response, we break down the security and privacy requirements found within the HIPAA regulation text and map NetVision policies and reports to those requirements. While organizations need to perform discovery of Protected Health Information (PHI), NetVision’s HIPAA compliance pack provides quick setup of compliance reporting related to Windows file system and Active Directory for complete coverage of Microsoft networking platforms.  The HIPAA package is also available for Novell networking environments.  NetVision isn’t claiming to make anyone compliant with a set of canned reports.  But, if you’re concerned about HIPAA requirements, the HIPAA compliance pack automates the creation of a set of reports that map to the areas within HIPAA for which NetVision can help.  Let us know if you’d like more information!

According to the two TechNet articles below, a user with the ‘take ownership’ permission on a file or folder should be able to assign ownership to a group of which they’re a member. Unfortunately, it doesn’t seem to work that way.  An error is thrown indicating that the user should have ‘restore files and directories’ permission in order to assign ownership to a group.

http://technet.microsoft.com/en-us/library/cc753659.aspx
http://technet.microsoft.com/en-us/library/cc780020(WS.10).aspx

Thanks! to FK for raising the issue (which contradicts information in the NetVision paper on Windows Access Rights)  It’s a fairly obscure find, but worth understanding.

NetVision this week announced a free trial of our Access Rights Inspector Single Server Edition.  Click here for more information on the Single Server Edition and the free download.  This version is limited to a single server and produces reports in only PDF format.  But it still provides extremely useful reports on effective rights calculating nested groups, hierarchical permissions, and more.  Give it a try on your own server today and let us know what you think!

We’ve already mentioned on this blog that NetVision provides calculated file system permission reporting with Access Rights Inspector.  What we haven’t discussed is that we support NetApp file storage solutions in Windows networking environments. 

You can connect NetApp devices to your Windows environment using Common Internet File System (CIFS) and leverage the existing authentication services in Active Directory.  Windows/NTFS permissions can be quite complicated.  Add the complexity of Windows shares and you’re soon looking for a way to easily report on access rights.

That’s where Access Rights Inspector steps in wearing a long red cape and blue tights.  With full understanding of groups, nested groups, file ownership , share permissions and more, it gives easy answers on effective rights for Windows and NetApp file storage solutions.

Windows file system permissions are complicated enough without having to consider file shares.  But, we use shares because they make life easier in networked environments.  So, we need to understand how Windows file share permissions affect the effective rights that users have to files and folders.  The Security permissions tab doesn’t tell the whole story.

Sometimes, we run into scenarios where an account appears to have been granted access to appropriate groups, but when the user tries to access an important file, she is denied access.  Other times, it’s the reverse scenario. Again, users appear to have been granted appropriate group memberships, but they are actually able to access more than they should.  And of course it’s almost never obvious why we get these unexpected results.

When configuring a Windows file share, the permissions for the share are handled differently than the rights granted on the file system itself. Each share has its own ACE (Access Control Entry) that governs the permissions on the file system to which the share enables access. Since both direct assignments and share assignments have their own ACEs, Microsoft provides a simple rule on how these ACEs will work together. When both affect the same area of the file system, the most restrictive of the two permission sets has precedence. Sounds simple. But in practice, determining how direct and share permissions cause unexpected effective rights for users can be complicated and time consuming.

Complicating things further, users are sometimes directly granted permissions to a share or file system rather than having permissions assigned via group memberships. And accounts can belong to numerous groups that each has different sets of permissions. As this web of permissions is constructed from multiple sources of permission assignments, the job of determining how accounts have gained or lost access gets increasingly complicated.

NetVision takes the mystery out of Access Rights. It’s critical to be able to easily and quickly determine the effective rights to sensitive data. NetVision’s Access Rights Inspector allows users to gather file system rights information, and then display the effective rights applied to users and groups across the file system.

Instead of limiting our scope to explicit rights across a file system (ACE entries), NetVision reports on permissions acquired from all sources - explicit permissions, shares, ownership, group memberships, etc. Access Rights Inspector makes all permission settings clear and provides a quick view into the calculated effective rights saving time, reducing cost, and improving your security posture.