NetVision

NetVision Company Blog

A Discussion on Effective Audit of User Access

Insider Errors

Tags: , ,

In case you missed our recent webinar on Insider Errors, NetVision’s David Rowe provided an engaging overview of insider errors, how they happen and their impact.  The webinar also gave a brief overview of NetVision’s access rights reporting solutions and some Q&A.

A recording is available through our partner Sparxent, who hosted the event:
http://www.sparxent.com/Webcast_Insider_Errors.wmv

Let us know if you’d like more information.

NetApp File Monitoring

Tags: , , , ,

NetApp file monitoring is finally right around the corner.  Our solution for monitoring activity on NetApp Filers is due to officially release in the coming weeks.  We’ll have file reads, changes, creates, deletes, permission changes, etc. baked into our already successful web-based reporting console which also reports on Windows file system activity, Active Directory, Microsoft Exchange, and Novell Netware, eDirectory and NSS on OES2 (SUSE Linux) platforms.  NetApp file activity monitoring will be available through the same solution that already provides full effective rights reporting – who has access to what – across Windows and NetApp devices.  Contact us for more information!

Permissions and Group Membership Cleanup

Tags: , ,

At NetVision, we hear from numerous organizations who are looking for help with cleaning up permissions that have gotten out of control over time.  David Rowe explains the challenges and provides some tips on how to tackle the job in this ESJ article titled Coming Clean: Getting a Handle on Permissions and Group Memberships.

Active Directory Group Clean Up

Tags: , ,

A recent edition of NetVision’s monthly newsletter AuditMonthly discussed the issues of permission bloat and group clean up.  There are some focus areas outlined in one of our solutions pages: Active Directory Group Clean Up.  We can help you get your arms around the issue, identify low hanging fruit, and clean things up.

Updated: Access Rights Inspector SSE

Tags: , , , ,

NetVision today released an updated version of Access Rights Inspector Single Server Edition.  The new version applies a fix to issues related to large volume size and the initial file/folder rights scan.  The SSE version is a free 30-day trial providing access rights reports on a single server. 

Access Rights Inspector SSE enables users to select user accounts/groups and files/folders to generate custom reports on access rights based on those selections.

Available Reports include:

  • Effective Rights: calculates permissions based on group memberships, inherited rights, ownership, and more.
  • Explicit Rights: provides explicit permission settings for selected accounts and resources.
  • Deny ACEs: provides a list of all locations where permissions are explicitly denied.

Click here to download a copy to get immediate reports on your server!

Take Ownership Issue

Tags: , , , ,

According to the two TechNet articles below, a user with the ‘take ownership’ permission on a file or folder should be able to assign ownership to a group of which they’re a member. Unfortunately, it doesn’t seem to work that way.  An error is thrown indicating that the user should have ‘restore files and directories’ permission in order to assign ownership to a group.

http://technet.microsoft.com/en-us/library/cc753659.aspx
http://technet.microsoft.com/en-us/library/cc780020(WS.10).aspx

Thanks! to FK for raising the issue (which contradicts information in the NetVision paper on Windows Access Rights)  It’s a fairly obscure find, but worth understanding.

Access Rights – Single Server – Free Trial

Tags: , , ,

NetVision this week announced a free trial of our Access Rights Inspector Single Server Edition.  Click here for more information on the Single Server Edition and the free download.  This version is limited to a single server and produces reports in only PDF format.  But it still provides extremely useful reports on effective rights calculating nested groups, hierarchical permissions, and more.  Give it a try on your own server today and let us know what you think!

TryIt! Free Access Rights Answers

Tags: , , , ,

Today, NetVision released the free TryIt! edition of Access Rights Inspector. You can now download a small scanner to run on your own server and get four useful reports:

  • User or Group Report – report on all resources to which a given user or group has access.
  • File or Folder Report – report on all accounts that have access to a given file or folder.
  • Direct User Assignments – report on all instances of permissions being assigned directly to user accounts (instead of via groups).
  • Explicit Deny Entries – report on all instances of explicitly denied permissions.

Like the full version of Access Rights Inspector, this one accounts for groups, nested groups, inherited permissions, deny entries, object ownership, share permissions, and more.  So, if you have questions like ‘Who has access to this file?‘ or ‘What does that person have access to?‘, this is a quick and free way to get the complete answer on a single server.

If you’re looking for something more powerful, we of course would like you to take a look at this 3-minute demo of the full version of Access Rights Inspector.

The Windows Owner Attribute

Tags: , , ,

When files and folders are created on the Windows file system, an owner is assigned to that object.  By default, the owner is the creator of the file.  But, ownership can be re-assigned by the current owner or system administrators. When assigning an owner, it’s critical to understand what the attribute means. 

A file or folder owner always has the rights to adjust permissions.  So, even if everyone is denied rights and the owner account can no longer view the document, it can still be used to adjust permissions to grant itself (or anyone else) any additional permissions.

In most cases, an explicit deny rule takes precedence over other rights assignments. In the case of owner, however, this is not true.  So, ownership needs to be considered when looking at what file permissions are assigned.

The implicit rights granted by the owner attribute take precedence over all other permissions, including denies.

To ensure proper access to files on the Windows file system, NetVision’s ARI accounts for the owner of a file system object when calculating effective rights. This allows users to be able to locate accounts that may have more privileges than expected because they are set as the owner of a file or folder. If a user is set as the owner and their effective permissions also allow them to browse or see the file or folder, then they can grant other rights to see items in the folder and below. If you don’t want users to be able to change permissions on files and folders, then you need to ensure that they’re not set as the owner. The owner attribute in most cases should be set to an administrative group so only appropriately privileged accounts can change these permissions.

Active Directory UserAccountControl

Tags: , , ,

Here’s a link to our Active Directory UserAccountControl Quick Reference Guide.  It’s not intended to be a complete reference on the UserAccountControl attribute, but rather a quick reference for common values related to Access Rights.

It includes things like checking for password not required, password set to not expire, disabled accounts, and smart card required.

© 2009 NetVision Company Blog. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.