NetVision

NetVision Company Blog

A Discussion on Effective Audit of User Access

Comparative Review: Active Directory Auditing Tools

Tags: , , , , , ,

NetVision was recently featured in a Windows IT Pro product comparative review on Active Directory audit solutions. The full article is available in the September issue and on the Windows IT Pro web site under the title Comparative Review: Active Directory Auditing Tools. But, we just wanted to call out a few of our favorite quotes:

Trying to find the culprit using Event Viewer is like looking for a needle in a haystack. You need a tool that can lay out the data in a clear and concise manner—you need a good Active Directory (AD) auditing tool.

NetVision should be your first choice if you’re looking for a turnkey solution. No matter whether you want to use the physical appliance, virtual appliance, or managed service, it’s the best for hands-free AD auditing.

Overall, I was impressed with [NetVision's] product. It’s extremely robust

Each one has its own strengths and weaknesses, but the one that impressed me the most was [NetVision] NVAssess, which is why it earns the Editor’s Choice award.

Well said Windows IT Pro!

Of course, to get the details, please read the full article. And let us know if you have any questions.

Setting up Windows and Active Directory Event Log Auditing

Tags: , , ,

There is more than meets the eye when it comes to Windows event log auditing for Active Directory or Windows file system. You can’t just “switch it on” as some might have you think. A recent NetVision white paper takes a lighthearted look at the steps involved in setting up Windows audit and event logging. It identifies some of the considerations and complexity related to Windows event log auditing. You can find the paper on our knowledge page. We invite you to take a look (quick registration required).

For an abbreviated version, take a look at our recent newsletter on this topic.

NetApp File Monitoring

Tags: , , , ,

NetApp file monitoring is finally right around the corner.  Our solution for monitoring activity on NetApp Filers is due to officially release in the coming weeks.  We’ll have file reads, changes, creates, deletes, permission changes, etc. baked into our already successful web-based reporting console which also reports on Windows file system activity, Active Directory, Microsoft Exchange, and Novell Netware, eDirectory and NSS on OES2 (SUSE Linux) platforms.  NetApp file activity monitoring will be available through the same solution that already provides full effective rights reporting – who has access to what – across Windows and NetApp devices.  Contact us for more information!

Microsoft Exchange Monitoring: Preview

Tags: , ,

NetVision will soon be announcing availability of our Microsoft Exchange monitoring capabilities.  Indepent of Microsoft event logs, this solution will enable you to monitor message, calendar, contact, and task activity.  Events can be triggered based on whether the initiator is the mailbox owner as well as event filtering by subsets of users.  So, for example, if a help desk user sends a message from your CEO, you might want to take different action than if the CEO’s assistant sends a message from that account.

If you’d like us to keep you updated on the Exchange monitoring release, please let us know.

Take Ownership Issue

Tags: , , , ,

According to the two TechNet articles below, a user with the ‘take ownership’ permission on a file or folder should be able to assign ownership to a group of which they’re a member. Unfortunately, it doesn’t seem to work that way.  An error is thrown indicating that the user should have ‘restore files and directories’ permission in order to assign ownership to a group.

http://technet.microsoft.com/en-us/library/cc753659.aspx
http://technet.microsoft.com/en-us/library/cc780020(WS.10).aspx

Thanks! to FK for raising the issue (which contradicts information in the NetVision paper on Windows Access Rights)  It’s a fairly obscure find, but worth understanding.

Access Rights – Single Server – Free Trial

Tags: , , ,

NetVision this week announced a free trial of our Access Rights Inspector Single Server Edition.  Click here for more information on the Single Server Edition and the free download.  This version is limited to a single server and produces reports in only PDF format.  But it still provides extremely useful reports on effective rights calculating nested groups, hierarchical permissions, and more.  Give it a try on your own server today and let us know what you think!

NetApp Security Audit

Tags: , , , ,

We’ve already mentioned on this blog that NetVision provides calculated file system permission reporting with Access Rights Inspector.  What we haven’t discussed is that we support NetApp file storage solutions in Windows networking environments. 

You can connect NetApp devices to your Windows environment using Common Internet File System (CIFS) and leverage the existing authentication services in Active Directory.  Windows/NTFS permissions can be quite complicated.  Add the complexity of Windows shares and you’re soon looking for a way to easily report on access rights.

That’s where Access Rights Inspector steps in wearing a long red cape and blue tights.  With full understanding of groups, nested groups, file ownership , share permissions and more, it gives easy answers on effective rights for Windows and NetApp file storage solutions.

Windows File Share Permissions

Tags: , , , ,

Windows file system permissions are complicated enough without having to consider file shares.  But, we use shares because they make life easier in networked environments.  So, we need to understand how Windows file share permissions affect the effective rights that users have to files and folders.  The Security permissions tab doesn’t tell the whole story.

Sometimes, we run into scenarios where an account appears to have been granted access to appropriate groups, but when the user tries to access an important file, she is denied access.  Other times, it’s the reverse scenario. Again, users appear to have been granted appropriate group memberships, but they are actually able to access more than they should.  And of course it’s almost never obvious why we get these unexpected results.

When configuring a Windows file share, the permissions for the share are handled differently than the rights granted on the file system itself. Each share has its own ACE (Access Control Entry) that governs the permissions on the file system to which the share enables access. Since both direct assignments and share assignments have their own ACEs, Microsoft provides a simple rule on how these ACEs will work together. When both affect the same area of the file system, the most restrictive of the two permission sets has precedence. Sounds simple. But in practice, determining how direct and share permissions cause unexpected effective rights for users can be complicated and time consuming.

Complicating things further, users are sometimes directly granted permissions to a share or file system rather than having permissions assigned via group memberships. And accounts can belong to numerous groups that each has different sets of permissions. As this web of permissions is constructed from multiple sources of permission assignments, the job of determining how accounts have gained or lost access gets increasingly complicated.

NetVision takes the mystery out of Access Rights. It’s critical to be able to easily and quickly determine the effective rights to sensitive data. NetVision’s Access Rights Inspector allows users to gather file system rights information, and then display the effective rights applied to users and groups across the file system.

Instead of limiting our scope to explicit rights across a file system (ACE entries), NetVision reports on permissions acquired from all sources – explicit permissions, shares, ownership, group memberships, etc. Access Rights Inspector makes all permission settings clear and provides a quick view into the calculated effective rights saving time, reducing cost, and improving your security posture.

Link – Why Add Active Directory Domains?

Tags: ,

An interesting article on SearchWindowsSecurity.com discusses when it’s useful to add new domains to your Active Directory network environment.

The Windows Owner Attribute

Tags: , , ,

When files and folders are created on the Windows file system, an owner is assigned to that object.  By default, the owner is the creator of the file.  But, ownership can be re-assigned by the current owner or system administrators. When assigning an owner, it’s critical to understand what the attribute means. 

A file or folder owner always has the rights to adjust permissions.  So, even if everyone is denied rights and the owner account can no longer view the document, it can still be used to adjust permissions to grant itself (or anyone else) any additional permissions.

In most cases, an explicit deny rule takes precedence over other rights assignments. In the case of owner, however, this is not true.  So, ownership needs to be considered when looking at what file permissions are assigned.

The implicit rights granted by the owner attribute take precedence over all other permissions, including denies.

To ensure proper access to files on the Windows file system, NetVision’s ARI accounts for the owner of a file system object when calculating effective rights. This allows users to be able to locate accounts that may have more privileges than expected because they are set as the owner of a file or folder. If a user is set as the owner and their effective permissions also allow them to browse or see the file or folder, then they can grant other rights to see items in the folder and below. If you don’t want users to be able to change permissions on files and folders, then you need to ensure that they’re not set as the owner. The owner attribute in most cases should be set to an administrative group so only appropriately privileged accounts can change these permissions.

© 2009 NetVision Company Blog. All Rights Reserved.

This blog is powered by Wordpress and Magatheme by Bryan Helmig.