(1) Good luck on changing the "This is how its always been done, why change argument" ( Like Jim said, when they get burned they get burned)
2) Auditing and ABE (Access based Enumeration) is a great 1-2 punch to getting the data auditable and structured, just remember Authenticate, Authorization and Auditing. 3) This kinda goes in with part (2), given that in the course of re-structuring you need to talk with the bussines or at least the users of the data, and take it in small chunks accordingly, and at first its going to feel like a Great-White Shark took a bite out of you when people don't have access anymore, but after to start applying structure, groups, permissions and auditing it will get easier and easier, and should let you structure more and more of the data in a similar structure across your servers as a corporate/organizational standard. (Trust me took a while here, but a simple users, Department share structure across all the file servers has worked wonders for data structure). I think some of the best arguments that Management will see the light of day on will probably be the following: Data Integrity: I am sure if there are files, folders with sensitive information, and someone with that generic account that has access manipulates figures, or information inside those files, which causes financial reporting or other company misrepresentations to happen ( Q10 report to the SEC) (HIV Status on patients) (Financial Earnings for the next quarter) then who did the data manipulation and when was it done, and at what time was the document, documents correct, and when was it's data integrity violation. With lack of auditing, access, and accounting of actions by users that is exactly the quagmire that happens, and the business comes to beat the management of IT over the head, when the business ( data-owner) has not properly done their due-diligence in properly describing the importance of the data in which the data-custodian ( IT) is charged with protecting under the security-schema that is supposed to be dictated by the data-owner (Bussiness). This is only one of the situations at could arise, and there are many many others, that are even more serious and could cripple a company/organization to the point it doesn't recover, all because the simple security steps was never thought of in the beginning or the politics and the lack of leadership within those said organizations never allowed the correct structure to be put in place and to make people accountable for their actions. Food for thought, Happy Friday all :) Z Edward E. Ziots CISSP, Network +, Security + Network Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Friday, November 12, 2010 3:43 PM To: NT System Admin Issues Subject: Re: Questions on the Application of Restricted Groups to Local Groups on Servers, Workstations On Fri, Nov 12, 2010 at 2:53 PM, Ziots, Edward <[email protected]> wrote: > the real problem is permissions beyond ones job responsibilities, and the > risk that it entails, and the politics that goes with it. Yah, we're currently struggling through that here at %WORK%. A huge chunk of the company's data is in a giant pile on a shared folder that's got no organization and no selective permissions at all. If you've got an account, you've got access. Currently working on it, but there are multiple challenges: (1) Changing 15+ years of thinking. (2) Figuring out who actually needs access to what. (3) Figuring out what some of this stuff even is. My favorite find so far is a working copy of Microsoft Project 3.0a (circa 1992), buried several layers deep in an archived projects folder. It still ran. Remember when you could install software just by coping files? :) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
