It is not uncommon for files & shares to grow significantly in a Windows Server based network. Even with SOPs & change control, it is still relatively easy to fall behind on resource access management. Most organizations do not have a great deal of insight into who has access to what as the organization grows and deals with change.
I recently completed two NTFS & SMB share permission audits for organizations concerned that their data had become too unwieldy to manage, and possibly insecure. They both had stacks of paper from the help desk authorizing access changes from the data owners, but as the years go by there are staff changes, as well as modifications to policies and protocols. In addition, employees leave, accounts get deleted and renamed (such as a result of a change in marital status).
One solution is to invest in a structured repository such as Documentum or SharePoint but not all organizations want to invest in the implementation and client training involved in deploying these solutions. Even shops that are progressive about adopting new technologies don’t seem keen on entirely getting rid of the “shared drive” or the “personal drive” (often mapped to client friendly drive letters).
It is easy to identify permissions for a specific resource (select the folder or file and right click, choose properties and read the straightforward ACL), but what about bulk changes, or going from a user or group perspective to see access over multiple folders, shares, or even trusted domains? Some free tools from Microsoft namely AccessChk and AccessEnum offer some basic insight in ACLs, but do not have the ability to ease or automate any desired changes.
Fortunately, there are commercial products that can help. I used Security Explorer from Script Logic (Quest Software) to help these two customers get more insight into their files and shares and help identify any security errors & violations. I was able to produce detailed reports that the customers found useful, and then showed them how they could make bulk custom changes with the tool. The interface was very intuitive (except that it treats shares and NTFS permissions as two logically separate entities). The application also supports Exchange, SQL, and SharePoint, but our customers did not license these features, so I cannot comment on them. If you are faced with a Windows file or share level permission audit, or simply just want more insight and manageability into your shared / NTFS volumes, you should get the trial from Script Logic.
For more information, please contact us at firstname.lastname@example.org