Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] OT: How to control the proliferation of unintended user access to information
Prev Next
You are not authorized to post a reply.

AuthorMessages
GilUser is Offline

Posts:77

10/04/2008 1:19 PM  
Managing entitlements is just like managing user accounts, only more complex. You have to have clear policies, tools that implement those policies over the entire lifecycle, a way to handle exceptions, and a way to audit the whole thing. There is no magic bullet.

An important aspect of the policy is to assign ownership of resources to the appropriate people (mostly _not_ IT people), and to make sure that they review the current set of entitlements to their resources periodically. This process should be automated as well.

NetPro (now Quest) has products that do this sort of thing, as do a few other vendors. You can in theory manage it by hand, but I've _never_ seen it done properly or reliably. When you start considering the ACLs on individual resources (shares, folders, OUs, files, services, etc), the scale of the problem space gets ugly in a hurry.

-gil

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Saturday, October 04, 2008 5:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: How to control the proliferation of unintended user access to information

Please excuse this off-topic question. I'd be glad to submit it to another forum if someone would be good enough to suggest something more appropriate.

Briefly: What strategies can be used to control unintended user access to information through Security and Distribution List membership?

Please understand that this is a hypothetical situation and could never happen in the real world....

Scenario: SupervisorA submits a request to have a domain account created for NewEmployeeB and, in the instructions, states "Just make the new account like OldEmployeeC". So that is done. Eventually SupervisorA realizes that NewEmployeeB is receiving all sorts of confidential E-mails that OldEmployeeC needed (or perhaps didn't). EmployeeB now has access to shared folders that OldEmployeeC once used for a top-secret project that was terminated months ago but never was never "cleaned up". The situation might be extreme if there were years (dating back to NT 4 days) of mismatching domain administrator styles, technology upgrades without thorough review of existing situations, inadequately defined group purposes or loose adherence to those purposes which were defined.

It was suggested that a better new user request form would take care of the problem. I'm of the opinion that there is no one "magic bullet" to fix the situation and that a thorough review and enforced adherences to a stricter set of standards and practices would be needed.

I'd appreciate thoughts on the subject. Please feel free to e-mail me directly.

Thank you.



You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] OT: How to control the proliferation of unintended user access to information



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:rwrabinowitz
New TodayNew Today:2
New YesterdayNew Yesterday:0
User CountOverall:4273
People OnlinePeople Online:
VisitorsVisitors:268
MembersMembers:0
TotalTotal:268
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use