Back to Home

Enterprise File Resource Rights Management Standard

access rights · security · file sharing · ntfs · windows · smb

Enterprise File Resource Rights Management Standard


    What could be easier than delimiting the rights to a folder in NTFS? But this simple task can turn into a real nightmare when there are hundreds, if not thousands of such folders, and changing the rights to one folder “breaks” the rights to others. To work effectively in such conditions, you need a certain agreement, or a standard that would describe how to solve such problems. In this article, we will just consider one of the options for such a standard.

    Scope


    The standard for managing access rights to corporate file information resources (hereinafter referred to as the Standard) regulates the processes of providing access to file information resources located on computers running Microsoft Windows operating systems. The standard applies to cases where NTFS is used as a file system, and as a network protocol for sharing SMB / CIFS files.

    Terms and Definitions


    Information resource - a named set of data to which the methods and means of ensuring information security are applied (for example, access control).
    A file information resource is a collection of files and folders stored in a file system directory (called the root directory of a file information resource), access to which is differentiated.
    A compound file information resource is a file information resource that contains one or more attached file information resources that differ from this resource by access rights.
    An embedded file information resource is a file information resource that is part of a composite information resource.
    The entry point to the file information resource is the file system directory to which network access (shared folder) is provided and which is used to provide access to the file information resource. This directory usually coincides with the root directory of the file information resource, but it can also be a parent.
    An intermediate directory is a file system directory located on the way from the entry point to the file information resource to the root directory of the file information resource. If the entry point to the file information resource is a superior directory with respect to the root directory of the file information resource, then it will also be an intermediate directory.
    User Access Group - a local or domain security group that ultimately contains user accounts endowed with one of the options for access to the file information resource.

    Basic principles


    1. Access is delimited only at the directory level. Restriction of access to individual files is not carried out.
    2. Access rights are assigned based on security groups. Access rights to individual user accounts are not assigned.
    3. Explicitly deny permissions are not applied.
    4. Access rights are distinguished only at the file system level. At the level of the SMB / CIFS network protocols, rights are not differentiated (Everyone group - Read / Write permissions / Everyone - Change).
    5. When setting up network access to a file information resource, the option "Access based enumeration" is set in the SMB / CIFS settings.
    6. Creating file information resources on user workstations is unacceptable.
    7. It is not recommended to place file information resources on system partitions of servers.
    8. It is not recommended to create multiple entry points to a file information resource.
    9. The creation of attached file information resources should be avoided if possible, and in cases where the file or directory names contain confidential information, this is completely unacceptable


    Access control model


    User access to the file information resource is provided by giving them one of the options for authorization:

    • Access "Read Only ( R ead O nly)".
    • Access "Reading and Writing ( R ead & W rite)".

    In the overwhelming number of access control tasks, such access authorization options will be enough, but if necessary, new authorization options can be generated, for example, “Read and Write without Removal (Read & Write without Remove)”. For implementations of the new authority, it will be necessary to clarify paragraph B.3 of Table 1, otherwise the application of the Standard will remain unchanged.

    User Access Group Naming Rules


    The names of user access groups are formed by the following pattern:

    FILE-Name of the file information resource –– abbreviation of authority

    The name of the file information resource
    must match the UNC name of the resource or consist of the server name and local path (if network access to the resource is not provided). If necessary, abbreviations are allowed in this field. The characters "\\" are omitted, and "\" and ":" are replaced by "-".

    Abbreviations of authority :

    • RO - for the “Read Only” access option
    • RW - for the “Read & Write” access option.

    Example 1
    The name of the access group for users with Read-only privileges for the file information resource with the UNC name \\ FILESRV \ Report will be:
    FILE-FILESRV-Report-RO

    Example 2
    The name of the access group for users with Read and Write permissions for The file information resource hosted on the TERMSRV server along the path D: \ UsersData will be:
    FILE-TERMSRV-D-UsersData-RW

    Directory permissions template for file information resource



    Table 1 - NTFS permissions template for the root directory of a file information resource.
    SubjectsRightsInheritance mode
    Inheritance of access rights from upstream directories is disabled
    A) Mandatory rights
    Special account:
    "SYSTEM (SYSTEM)"
    Full access
    For this folder, its subfolders and files (This folder, subfolders and files)
    Local Security Group:
    “Administrators”
    Full access
    For this folder, its subfolders and files (This folder, subfolders and files)
    B.1) Powers "Read Only ( R ead O nly)"
    User Access Group:
    “FILE-Resource Name-RO”
    Basic rights:
    a) read and execute (read & execute);
    b) a list of contents of a folder (list folder contents);
    c) reading (read);
    For this folder, its subfolders and files (This folder, subfolders and files)
    B.2) Powers of "Reading and Writing ( R ead & W rite)"
    User Access Group:
    “FILE-Resource Name-RW”
    Basic rights:
    a) modify;
    b) reading and execution (read & execute);
    c) a list of contents of a folder (list folder contents);
    d) reading (read);
    e) write;
    For this folder, its subfolders and files (This folder, subfolders and files)
    B.3) Other powers, if any
    User access group:
    “FILE-Resource name-abbreviation of authority”
    According to authority
    For this folder, its subfolders and files (This folder, subfolders and files)

    Table 2 - NTFS permissions template for intermediate directories of a file information resource.
    Subjects
    Rights
    Inheritance mode
    Inheritance of access rights from parent directories is enabled , but if this directory is superior to file information resources and is not included in any other file information resource, then inheritance is disabled
    A) Mandatory rights
    Special account:
    "SYSTEM (SYSTEM)"
    Full access
    For this folder, its subfolders and files (This folder, subfolders and files)
    Local Security Group:
    Administrators
    Full access
    For this folder, its subfolders and files (This folder, subfolders and files)
    B.1) Authorization "Pass through the directory ( TRAVERSE )"
    Access groups for users of information resources for which this directory is an intermediate
    Additional security settings:
    a) traverse folders / execute files (travers folder / execute files);
    b) the contents of the folder / read data (list folder / read data);
    c) reading attributes (read attributes);
    c) reading additional attributes (read extended attributes);
    d) read permissions;
    Only for this folder (This folder only)

    Business processes for managing access to file information resources


    A. Creating a file information resource
    When creating a file information resource, the following actions are performed:
    1. User access groups are created. If the server hosting the file information resource is a member of a domain, domain groups are created. If not, then the groups are created locally on the server.
    2. Access rights are assigned to the root directory and intermediate directories of the file information resource according to access rights templates.
    3. User accounts are added to user access groups according to their privileges.
    4. If necessary, a network folder (shared folder) is created for the file information resource.

    B. Granting the user access to the file information resource
    The user account is placed in the corresponding user access group depending on its authority.

    B. Changing user access to a file information resource
    A user account is moved to another user access group depending on the specified privileges.

    D. Blocking user access to a file information resource
    A user account is deleted from user access groups of a file information resource. If an employee leaves, then group membership does not change, and the entire account is blocked.

    D1. Creating an attached file information resource. Access extension
    This task arises when it is necessary to provide access to an additional group of persons (to expand access) to a certain directory of a file information resource. The following activities are carried out:
    1. The attached file information resource is registered (according to process A)
    2. The user access groups of the parent compound file information resource are added to the user access groups of the attached file information resource.

    D 2. Creating an attached file information resource. Narrowing access
    This task arises when it is necessary to restrict access to a certain directory of a file information resource and provide it only to a limited group of persons:
    1. The attached file information resource is registered (according to process A)
    2. The user access groups of the created information resource contain those user accounts that need to be granted access.

    E. Changing the model for granting access to file information resources
    In cases where the standard options for permissions are “Read only” or “Read and Write”, you need to add new types of permissions, for example, “Read and write, except removal (Read & Write without Remove) "perform the following actions:
    1. Organizational (or technical, but not related to changing access rights to file system directories) measures blocking user access to this and all attached file information resources.
    2. New access rights are assigned to the root directory of the file information resource, and the access rights for all child objects are replaced (the legacy is activated).
    3. Access rights for all embedded information resources are reconfigured.
    4. Intermediate directories are configured for this and embedded information resources.

    Examples


    Consider the application of this standard on the example of the hypothetical organization InfoCryptoService LLC, where a server with the name FILESRV is allocated for centralized storage of file information resources. The server is running the Microsoft Windows Server 2008 R2 operating system and is a member of the Active Directory domain with the FQDN named “domain.ics” and NetBIOS named “ICS”.

    Preparing a file server
    On the “D:” drive of the “FILESRV” server, create the “D: \ SHARE \” directory. This directory will be a single entry point to all file information resources hosted on this server. We organize network access to this folder (use the applet “Share and Storage Management”):

    Creation of a file information resource
    Statement of the problem.
    Let the organization of InfoCryptoService LLC have an Information Systems Development Department consisting of: the head of the department, Ivanov Sergey Leonidovich ([email protected]), specialist Markin Lev Borisovich ([email protected]), and for them it is necessary to organize file information resource for storing unit data. Both employees need read and write access to this resource.

    Decision.
    In the “D: \ SHARE \” directory of the “FILESRV” server, create the folder “D: \ SHARE \ Information Systems Development Department \”, which will be the root directory for the file information resource. We also create user access groups (global security groups of the ICS domain) for this resource:
    • FILE-FILESRV-SHARE-Dep. bit IS-RO »
    • FILE-FILESRV-SHARE-Dep. bit IS-RW »

    Set the permissions for the directory “D: \ SHARE \ Information Systems Development Department \”:

    Dump NTFS permissions received by the cacls command: The D: \ SHARE \ directory is the entry point and intermediate directory for this resource. Add the rights to the passage (Traverse) for the groups: “FILE-FILESRV-SHARE-Sep. bit IS-RO ”and“ FILE-FILESRV-SHARE-Sep. bit IS-RW " Dump NTFS permissions obtained by the cacls command: Since users need read and write access, we add their inventory to the" FILE-FILESRV-SHARE-Sep. bit EC-RW » Providing user access to the file information resource STATEMENT OF THE PROBLEM.
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RO:(OI)(CI)R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RW:(OI)(CI)C
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F




    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RW:R
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F





    Suppose, another employee, a specialist Mikhail Vladimirovich Egorov ([email protected]) was accepted into the development department, and he, like the rest of the department’s employees, needs read and write access to the file’s information resource of the department.

    Decision.
    The employee account must be added to the group “FILE-FILESRV-SHARE-Sep. bit IS-RW »

    Creation of an embedded information resource. Expanding access
    Problem Statement.
    Suppose the Information Systems Development Department decided to improve the quality of interaction with the Marketing Department and provide the head of the latter, Kruglikova Natalya Evgenievna ([email protected]), with read access to the actual product documentation stored in the Documentation folder of the Department’s file information resource development of information systems.

    Decision.
    To solve this problem, it is necessary to make an embedded resource "\\ FILESRV \ share \ Information Systems Development Department \ Documentation", access to which should be read (written) to all users who had access to "\\ FILESRV \ share \ Department development of information systems \ and add read access for the user Kruglikova Natalia Evgenievna ([email protected])

    In the "D: \ SHARE \ Information Systems Development Department \" directory, create the "D: \ SHARE \ Information Systems Development Department \ Documentation" folder, which will be the root directory for the new resource. We also create two user access groups:
    • FILE-FILESRV-SHARE-Dep. bit IS-Documentation-RO »
    • FILE-FILESRV-SHARE-Dep. bit IS-Documentation-RW »

    Set the permissions on the folder “D: \ SHARE \ Information Systems Development Department \ Documentation” as follows:

    Dump NTFS permissions received by the cacls team: Since all users who have access to “\\ FILESRV \ share \ Information Systems Development Department \”, if you need similar access to \\ FILESRV \ share \ Information Systems Development Department \ Documentation, then add the group “FILE-FILESRV-SHARE-Sep. bit IS-RO ”in“ FILE-FILESRV-SHARE-Sep. bit IS-Documentation-RO "and" FILE-FILESRV-SHARE-Sep. bit IS-RW ”in“ FILE-FILESRV-SHARE-Sep. bit IS-Documentation-RW ”, respectively. Add the account of Kruglikova Natalia Evgenievna ([email protected]) to the group “FILE-FILESRV-SHARE-Sep. bit IS-Documentation-RW »
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RO:(OI)(CI)R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RW:(OI)(CI)C



    Now, if Natalya Evgenievna Kruglikova ([email protected]) clicks on the link \\ FILESRV \ share \ Information Systems Development Department \ Documentation, then she will be able to get to her folder of interest, but contacting the full path is not always convenient so we’ll configure a pass-through to this pack from the entry point “\\ FILESRV \ share \” (“D: \ SHARE \”). To do this, configure the access rights to the intermediate directories "D: \ SHARE \" and "D: \ SHARE \ Information Systems Development Department \".

    Let's configure “D: \ SHARE \”:

    Dump NTFS permissions received by the cacls: command and “D: \ SHARE \ Information Systems Development Department”: Dump NTFS permissions received by the cacls command: Create an embedded information resource. Narrowing access Statement of the problem
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RW:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RW:R
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F




    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RW:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RO:(OI)(CI)R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RW:(OI)(CI)C
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F



    In order to organize a backup of the developments of the Information Systems Development Department, the head of the department, Ivanov Sergey Leonidovich ([email protected]), as part of the department’s file information resource, needed a network folder “Archive” that he would have access to.

    Decision.
    To solve this problem, in the file information resource of the department, you need to make the embedded resource "Archive" ("\\ FILESRV \ share \ Information Systems Development Department \ Archive"), access to which should be provided only to the head of the department.

    In the "D: \ SHARE \ Information Systems Development Department \" directory, create the "D: \ SHARE \ Information Systems Development Department \ Archive" folder, which will be the root directory for the new resource. We also create two user access groups:
    • FILE-FILESRV-SHARE-Dep. bit IS-Archive-RO »
    • FILE-FILESRV-SHARE-Dep. bit IS-Archive-RW »

    Let's configure the access rights to the directories “D: \ SHARE \ Information Systems Development Department \ Archive”:

    Dump NTFS permissions received by the cacls command: “D: \ SHARE \ Information Systems Development Department Dump NTFS permissions received by the cacls: and“ D : \ SHARE \ ”: Dump NTFS permissions obtained by the cacls command: Add the user account of Sergey Leonidovich Ivanov ([email protected]) to the FILE-FILESRV-Sep group. times.IS-Archive-RW.
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Архив-RO:(OI)(CI)R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Архив-RW:(OI)(CI)C




    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RW:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Архив-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Архив-RW:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RO:(OI)(CI)R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RW:(OI)(CI)C
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F




    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-RW:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Документация-RW:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Архив-RO:R
    ICS\FILE-FILESRV-SHARE-Отд. разр. ИС-Архив-RW:R
    NT AUTHORITY\SYSTEM:(OI)(CI)F
    BUILTIN\Administrators:(OI)(CI)F

    Read Next