In-Depth
Manage Active Directory Permissions: 4 Access Control Tools for IT
Create a comprehensive access policy to files and shares with these Windows permission management tools.
To say Windows is a huge platform is an understatement. At a high level it seems so large because everything tends to work together in a way that makes sense for both administrators and employees alike. But when securing information becomes the task at hand, it can quickly become a daunting exercise in futility.
But now, thanks to the latest iteration of Active Directory Rights Management Services (AD RMS) in Windows Server 2012 (see "Secure Files in Windows Server 2012 with AD RMS,"), it's a much easier endeavor. If you're an IT manager considering privilege management suites, you might want to consider those that allow you to control who has access to files and folders. In this article, I'll look at four privilege management tools that give such control over permissions.
First, it's important to understand Windows file system permissions. Everyone who's managed Windows has dealt with or has come across permissions. But what are permissions? Permissions on files and folders are just like permissions to things around the house I recall as a child. Some things I was allowed to use whenever I wanted, while others needed supervision. Then there were those that were off limits completely. Windows can do the same thing for files and folders.
Think of Windows permissions as toy chest permissions. If I have three folders -- C:\Boss, C:\Derek and C:\Project -- they can represent different work items for me. For C:\Boss, I would have no access because those are my boss's files and are none of my business. For C:\Derek I would have full control: I can write to and delete from anything inside that folder with no trouble. And the C:\Project folder might contain files I can read but not modify, items I can modify and, still, other items I can delete. These folders are much like items around my house growing up. Things in my bedroom were pretty much available for me to use whenever and however I wanted (like C:\Derek). Things in the kitchen might have been OK to use depending on the level of supervision that was around and what my goal was (C:\Project). And things in the living room were generally considered off limits (C:\Boss). When you look at it with simple real-world comparisons, it isn't quite so bad.
Windows permissions can work in conjunction with privileges but the two are distinctly different. Privilege allows a user to perform an action (such as accessing a file) and can override permissions. Permissions are lists of controls placed on a file or folder; they tell Windows which users and groups are able to see or use the data and nothing more.
Managing Shares
Shares are another "object" that you can control and manage in Windows. There are fewer options available for shares in terms of security available, but whichever permission is most restrictive wins, especially if both share permissions and NTFS permissions are in play. When you access the Boss folder on a network share (\\server\Boss), you'll encounter both share permissions and NTFS permissions. The share permissions determine if the shared object is visible over the network. This could be similar to a cookie jar in the way the permissions are applied. Read share access might happen when the cookie jar is on the top of the fridge: I can see it but I can't access it. Modify permissions might work like supervised access to the cookies -- when Mom is watching, I'm allowed two cookies. Full control access would be that I can have as many of the cookies as I like. NTFS permissions can be applied to specific accounts or the built-in group "Everyone," which mostly disables them. NTFS permissions can be far more granular in allowing or denying access, but if your login can't get past the share permissions you'll be restricted right away. Because of the more granular functionality, I tend to rely on NTFS permissions and set share permissions to be less restrictive, if restrictive at all. How you handle this will be determined by requirements in your organization.
Because of the nature of working with permissions and their depth within Windows, these four privilege management applications might help you manage permissions within your Windows environment.
Dell Software: Security Explorer
Licensing: Starts at $649 per server
The NTFS Security navigation option with Dell Software Security Explorer will help with NTFS permissions. The application manages security of other applications including Exchange, SharePoint and SQL Server, allowing one interface to work on any and all security in the environment. Here, NTFS will be the focus. There are two types of tasks available: Basic and Advanced. Some of the basic tasks used for general permissions management let you view permissions, manage computers, grant or revoke permissions from a selected resource, and search permissions.
The advanced permissions allow functions such as reducing a user or group access to read only or changing the owner. They can be quite useful, but as with any application working in NTFS security, getting the hang of how the basic tasks work before getting too far into the advanced techniques is advised.
Granting Permissions: To grant a permission, select the grant task. You'll then need to select a path (or resource) against which to grant a permission, as well as the permission to assign. When you select the permission you'll choose the type of permission and if it's allowed or denied, the user or group getting the permission, where it applies (to this folder only or to this folder and subfolders and files, for example) and whether the permission set will be appended to existing permissions or replace them. After completing this information and clicking OK, Security Explorer will add permissions to the resources as requested.
Standout Features: Security Explorer includes many features to ease permissions management for both share and NTFS. Some of the most useful include:
- Reporting -- the ability to see what permissions are applied where in a few clicks.
- Backup/Restore -- make sure the security settings you need can be reapplied with ease should something go wrong.
- Windows PowerShell support -- the ability to use Security Explorer features from the command line in Windows PowerShell helps automate permissions management.
BeyondTrust: PowerBroker for Windows
Licensing: Starts at $39/active user
Power Broker for Windows from BeyondTrust Inc. uses privilege identity rules to determine which users or groups are able to access resources and file integrity management rules to track the usage of assigned privilege. I'll focus on the first type of rule, but note that monitoring access is something included with this tool.
Managing Permissions with PowerBroker: Permissions to access resources are managed with Privilege Identity rules. To create a rule within PowerBroker, expand the user configuration, policies and BeyondTrust PowerBroker for Windows inside the Group Policy Management Console. From here a rules wizard helps you select the users (or groups) to which the rule should apply, as well as the folders (and files) the rule will be used to control. Once the initial rule is created, its properties can be modified to further tweak how the rule behaves. PowerBroker also has rules for file integrity management, which work to provide information about access to resources. Using these rule types together can provide a clear picture of what's happening in your environment as well as provide data for compliance, if needed.
Standout Features: PowerBroker for Windows has regulatory considerations built-in that compare configuration elements to regulatory compliance standards. For example, the rules created can be compared against things such as PCI-DSS, and trigger event capture based on compliance.
Any action can be captured by logging. When a user account accesses a file or folder, this action is logged regardless of outcome (success or failure). Because all this information is logged within the application, which filters relevant Windows event logs for easier viewing, you can see what's going on and understand where changes are needed.
Using agents, even computers that aren't in a specific Active Directory domain can be managed. The agents apply rules to these computers and track their usage for reporting. This allows computers within a DMZ or off the network for PCI compliance to be monitored without much additional effort. In conjunction with agents, screen captures can be taken any time a screen changes where an agent is installed. This will give you an idea of what an account is doing with permissions granted to it. Note that his feature can be made visible or invisible to the user, depending on laws in the region or on company policy.
Viewfinity: Application Control
Licensing: Perpetual licensing begins at $35/managed desktop; Software as a Service managed installation starts at $20/managed desktop -- both have a 25 percent cost for maintenance and support
Application Control from VIewfinity Inc. has several flavors, two of which are Group Policy and Standalone. I chose to use the Group Policy application because many of the Microsoft environments used in organizations today rely on Active Directory. When installed, the application snaps directly into the Group Policy Management Console (GPMC).
This snap-in manages files and folders, as well as other items that might be useful in an enterprise.
Managing Permissions with Policies: Permissions are managed using policies, which behave similarly to (and can be managed like) group policies in Active Directory. This minimizes the number of agents and extra management needed.
The application provides a wizard-style interface to help you create policies to manage permissions, including:
- Access -- manages permissions on files and folders
- Services -- manages permissions on services
- Removable -- sets permissions for all items on removable media Selecting Access and choosing an access type, allow read, allow full control, deny write, or deny any access will allow that permission to be used. For example, select Allow read.
Once the type of policy is defined the next thing to do is select the folders or files where the policy should be applied. Then the more granular settings can be applied based on the needs of your environment.
Note that just like other items within the GPMC, the policies configured by Application Control can be configured for user or computer objects. The settings are similar within the configuration element for permissions, but the computer configuration object has more types of settings.
Standout Features: One of the first features I noticed when configuring Application Control was the snap-in to the Group Policy environment. While this is not a "feature" of the software necessarily, I like it for its usability. When snapped into Group Policy, you don't have to work with another interface to use the product.
The policy creation is wizard-based to help get you off and running. This is not like traditional Group Policy management where most explanation is text-based and requires you to know where to find the right elements. Settings within the application, however, are configured like traditional Group Policy items having a state of Enabled, Disabled or Not Configured.
Granular configuration allows dynamic items like RAM and CPU and other hardware or environment items to thin down where a policy might be applied.
Revision history allows each policy to log its modification/revision history. This will help keep track of changes to policies within the application.
Arellia: Security Analysis Solution
Licensing: Starts at $75/endpoint
Like the other products covered here, Security Analysis Solution from Arellia Inc. has features that are beyond the scope of
Managing Permissions to files. I mention this because the tool is extremely modular and features can be added to the management framework once they're licensed.
Security Analysis Solution requires the Symantec Installation Manager (SIM) platform to be installed and configured before installing the product. Arellia and Symantec Corp. are partners in this arrangement and Arellia is planning a standalone application in a future release.
The initial configuration of the SIM and Arellia add-ins was a bit cumbersome, but the capabilities of the product once configured are definitely worthwhile. The Local Security Solution allows permissions management in both Active Directory and non-Active Directory environments using rules to define which security principals are allowed permissions on a resource and what those permissions should be. In addition to being rule/task list based, the changes are fully auditable for accounting and regulatory purposes.
Managing Permissions: To create rules, open the Arellia Security Manager from the start menu. This will open a focused Web application for working with Arellia products. Select the Tasks tab and expand the Arellia | Client Tasks | Security Analysis | Remediation tasks | Remediation Pack | File Security. This will list all preexisting file permissions tasks. Right-click File Security, select New and then Task to create a new task. In the new task dialog, select File Security as the type of task to create in the left pane.
Select Add Item to add a new resource to secure. Specifying the path to the item to be secured and the security descriptor to apply. For example, on a specific resource (C:\new.txt) you can select the administrators full control descriptor to apply full control on this file for members of the Administrators group. Enter a name for the task (descriptive names are better) and Click OK to save the task.
Tasks can be scheduled to run at intervals to ensure the security settings are applied as needed to ensure security compliance is maintained on files within an organization. Tasks can also be grouped into collections (or profiles) to allow the assignment of multiple configurations to a given set of resources or users.
Standout Features: You can start rules from compliance listings created by top-level security organizations. For example, if your organization is required to meet PCI DSS regulations, there are lists available within Arellia Security Manager to configure matching rules. This way, you can apply them to your organization to ensure these requirements are met with regard to the files and folders being managed. The solution isn't limited to regulatory rules -- organizations can create their own rules based on internal needs to ensure files and folders are secured appropriately.
Rule scheduling to ensure that resources remain compliant with the security settings of an organization is a great feature. Using rules will possibly allow a file or folder to be created in a location and then ensure security gets applied as outlined in a policy. This helps ensure no files or resources are missed.