NetVision

NetVision Company Blog

A Discussion on Effective Audit of User Access

Updated: Access Rights Inspector SSE

Tags: , , , ,

NetVision today released an updated version of Access Rights Inspector Single Server Edition.  The new version applies a fix to issues related to large volume size and the initial file/folder rights scan.  The SSE version is a free 30-day trial providing access rights reports on a single server. 

Access Rights Inspector SSE enables users to select user accounts/groups and files/folders to generate custom reports on access rights based on those selections.

Available Reports include:

  • Effective Rights: calculates permissions based on group memberships, inherited rights, ownership, and more.
  • Explicit Rights: provides explicit permission settings for selected accounts and resources.
  • Deny ACEs: provides a list of all locations where permissions are explicitly denied.

Click here to download a copy to get immediate reports on your server!

NetApp Security Audit

Tags: , , , ,

We’ve already mentioned on this blog that NetVision provides calculated file system permission reporting with Access Rights Inspector.  What we haven’t discussed is that we support NetApp file storage solutions in Windows networking environments. 

You can connect NetApp devices to your Windows environment using Common Internet File System (CIFS) and leverage the existing authentication services in Active Directory.  Windows/NTFS permissions can be quite complicated.  Add the complexity of Windows shares and you’re soon looking for a way to easily report on access rights.

That’s where Access Rights Inspector steps in wearing a long red cape and blue tights.  With full understanding of groups, nested groups, file ownership , share permissions and more, it gives easy answers on effective rights for Windows and NetApp file storage solutions.

Windows File Share Permissions

Tags: , , , ,

Windows file system permissions are complicated enough without having to consider file shares.  But, we use shares because they make life easier in networked environments.  So, we need to understand how Windows file share permissions affect the effective rights that users have to files and folders.  The Security permissions tab doesn’t tell the whole story.

Sometimes, we run into scenarios where an account appears to have been granted access to appropriate groups, but when the user tries to access an important file, she is denied access.  Other times, it’s the reverse scenario. Again, users appear to have been granted appropriate group memberships, but they are actually able to access more than they should.  And of course it’s almost never obvious why we get these unexpected results.

When configuring a Windows file share, the permissions for the share are handled differently than the rights granted on the file system itself. Each share has its own ACE (Access Control Entry) that governs the permissions on the file system to which the share enables access. Since both direct assignments and share assignments have their own ACEs, Microsoft provides a simple rule on how these ACEs will work together. When both affect the same area of the file system, the most restrictive of the two permission sets has precedence. Sounds simple. But in practice, determining how direct and share permissions cause unexpected effective rights for users can be complicated and time consuming.

Complicating things further, users are sometimes directly granted permissions to a share or file system rather than having permissions assigned via group memberships. And accounts can belong to numerous groups that each has different sets of permissions. As this web of permissions is constructed from multiple sources of permission assignments, the job of determining how accounts have gained or lost access gets increasingly complicated.

NetVision takes the mystery out of Access Rights. It’s critical to be able to easily and quickly determine the effective rights to sensitive data. NetVision’s Access Rights Inspector allows users to gather file system rights information, and then display the effective rights applied to users and groups across the file system.

Instead of limiting our scope to explicit rights across a file system (ACE entries), NetVision reports on permissions acquired from all sources – explicit permissions, shares, ownership, group memberships, etc. Access Rights Inspector makes all permission settings clear and provides a quick view into the calculated effective rights saving time, reducing cost, and improving your security posture.

TryIt! Free Access Rights Answers

Tags: , , , ,

Today, NetVision released the free TryIt! edition of Access Rights Inspector. You can now download a small scanner to run on your own server and get four useful reports:

  • User or Group Report – report on all resources to which a given user or group has access.
  • File or Folder Report – report on all accounts that have access to a given file or folder.
  • Direct User Assignments – report on all instances of permissions being assigned directly to user accounts (instead of via groups).
  • Explicit Deny Entries – report on all instances of explicitly denied permissions.

Like the full version of Access Rights Inspector, this one accounts for groups, nested groups, inherited permissions, deny entries, object ownership, share permissions, and more.  So, if you have questions like ‘Who has access to this file?‘ or ‘What does that person have access to?‘, this is a quick and free way to get the complete answer on a single server.

If you’re looking for something more powerful, we of course would like you to take a look at this 3-minute demo of the full version of Access Rights Inspector.

Demo – Getting Who Has Access (with Details)

Tags: , , ,

Today, I launched a 3 minute demo of Access Rights Inspector‘s ability to generate a quick report on everyone that has access to a given file — and how they got the access (inheritance, group memberships, etc.).  Obviously, it’s only a quick glance at what the product can do, but if it piques your interest, please let us know.

Access Rights Inspector

Tags: , ,

NetVision is proud to introduce Access Rights Inspector.

Access Rights Inspector provides effective rights on Active Directory objects and Windows File System. It removes the complexity of rights assignments, nested group memberships, explicit rights granted directly to users, deny entries, and inherited permissions.

To get the basics, take a look at this 5 minute video presentation

© 2009 NetVision Company Blog. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.