Blog / File Servers Done Properly – Important Files Need Proper Protection
Pretty much all organizations share files between their users over the network. On a small scale, this can be done with shared folders on your desktop and by emailing files around. That gets cumbersome very quickly, as you add more people to the mix. Also, once the issue of backups and Security gets into the equation, there’s the need to centralize your file storage.
Enter the File Server: This computer’s primary role in its life cycle is to store files and allow multiple users to access them, simultaneously. Back in the day when servers were quite expensive and required special skills to manage, file servers were a bit of a rarity. Today, we find file servers anywhere, even in people’s home networks, with devices from companies like QNAP being easily affordable.
So now that file servers are so easy to get your hands on, this begs the question: “What is the best way to handle access permissions?” This is an important topic, from a Security standpoint. File servers are central repositories of important documents for any organization. As such, access to them needs to be set-up properly. Badly configured permissions will allow unauthorized individuals to access more data than they should, or worse, change/delete it.
I’ve performed multiple Security Audits of different networks, and in every single one of them, there have been file shares. During those audits I can say that not a single outfit I investigated, maintained any kind of official documented list regarding their file shares. You may consider this unnecessary documentation, but every time I offered a report on folder permissions that did not conform to what was expected, nobody was ever able to tell me exactly what these should be. Oh, they may have had a rough idea, but did not know for sure. There have been other cases where I found file shares that seemed to be in active use, but they couldn’t tell me what their purpose was.
The list of errors I’ve seen goes on and on, but the strategy to avoid them can be summarized very easily:
1) Plan it
2) Document it
3) Do it
4) Monitor it
These steps are usually undertaken, albeit in an unofficial manner. The problem is that if they are not carried out officially, then there is no requirement to do so at all. So it may (or may not) get done.
Here is a list of Best Practices for managing your file shares:
1) Define the purpose of the files stored in this share
DO NOT make a monolithic file share that stores all your information. This will make it very difficult to find (or properly store) anything. Each file share should have a particularly defined purpose, so that anyone with access to the file share can understand the sort of data that should (and should not) be stored there.
2) Set–up your access permissions based on groups, not users
NEVER set-up your access permissions with individual user accounts. Always do this based on groups. This makes it easy to allow or restrict file share access, simply by adjusting groups a user is a member of. As someone needs access to these file shares, simply add them to this bunch, and you are done.
Don’t be afraid to create new groups that only correspond to file share access. The larger your outfit, the more file shares you will have. Access to them may not line-up with your existing group structure. If that happens, the answer is not to shoe-horn those you have into your file shares, but to create a whole new set of clusters that you only use for file share access. This keeps access clean and simple.
3) Apply your permissions to folders, not files
Permissions should be applied to the folders, and such authorizations ought to apply to all files and sub-folders within those folders. This keeps your approvals easy to understand and debug. It also keeps the description of the share straightforward and understandable. The concessions for everything within a specific file share should all be identical. If you have access to a file share, then you should have entry to everything inside that share.
If there is a legitimate business case that can be made to apply separate permissions to a specific file or folder on a file share, then the answer is that it needs to be stored on a different file share. So, make one! Define the files to be stored there, as well as access consents, and move the necessary files and folders.
4) Document your file share purposes and permissions
Once a share is created, it’s vital to document what the permissions should be, and the purpose. As this information can change over time, it’s important to keep that document up to date. The reason to do this is that in the event of a problem, the record will be needed, as it defines the type of information which should be stored on the file share, as well as who should have access to read and change data.
5) Audit and/or Monitor your file share permissions
A file share stores important information. Backing it up is reasonably well understood in the industry. The reason is simple: if something goes wrong, you may need to restore all your data from a backup.
Something that is less well comprehended is that you need to keep an eye on your permissions. Just because you aren’t SUPPOSED to change them, doesn’t mean people (or bad actors) won’t. Doing a periodic audit is good but setting up active monitoring is better. The authorizations for a file share are something that should never change. If they do, then the only acceptable reason is because there is some sort of business need that requires it. It’s not something that should happen very often.
6) Audit your file share activity
What do you do if someone deletes or changes a pile of very important information? You restore your backups obviously, but is that the end of it? Of course not. You need to find out who deleted those files. That means you need to log this data. If you do, you also need to audit it, not because you should be constantly watching, but because you need to have it in the event of a worst-case scenario.
That’s the long and short of it. There’s no magic or anything like that. This can all be done without using special software. I didn’t bother to include backing up the shares, because that’s the one thing in all my audits that every organization did, so I didn’t feel the need to mention it. As for the rest of the items in this list, most places did a couple.
If you have any questions about File Server Configuration, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.