How do I deny rights to outside users accessing our network?
I’ve just recently started a new job in a company with an existing 2K3 AD setup. The company started small, and has grown rapidly.
During the earlier stages, security and ACLs were fairly relaxed, with the default fairly “wide-open” browse access to drives, folders etc. for Domain Users left as is, as users were all company employees – only select folders (e.g. HR department, senior admin etc.) have inheritance deliberately broken, and effectively “deny” rights imposed.
We’re now into a situation where some outside consultants need periodic access to files (not apps) on our network. The intent is to allow them in via AD (they already have accounts [and separate groups] for when they work onsite), but to limit what they can actually see/browse, to one key share out of many located across 20 servers – in other words, deny ‘em everything except access to “Common”.
The thought of having to march across the LAN & WAN every time there’s a change like this makes me shudder. I’m thinking this has to be a great job for a script, but don’t know where to start.
Can you help point me in the right direction?
Software/Hardware used:
Software/Hardware used:
ASKED:
March 6, 2008 7:17 PM
UPDATED:
March 18, 2008 1:03 AM
Answer Wiki:
the best way for this is to setup the contractors in a security group, then give that group access to only the shares they need. You also need to tighten down the security of the rest of the network so that you are NOT using the everyone group or the domain users group to give access to everyone. If you have a network share that is for quotes and usually everyone has access to it then you create a QUOTES group, (or something similar), and give access to the share to the QUOTES group instead of the Domain Users or Everyone group. You have a lot of work ahead of you to clean up what was originally created but in the end it will work out right.
A full network security audit is going to be your first job in this project. Before you can start cleaning up the rights you'll need to find out what everyone needs access to, re-grant those rights without using the everyone account (or domain users) then grant the consultants the rights that they need.
To see all answers submitted to the Answer Wiki: View Answer History.
Good answer, as far as it goes… And I agree, there are are number of tools to help build a report on security holes.
However, based on careful reading of the question, I believe the writer is looking for help with scripting (perhaps using PowerShell? or a third-party package?) to help automate a huge job…
I’m curious also…
After the initial work of finding out who needs access to what and the domain groups are setup, while this could be automated, unless there are dozens of servers and hundreds of network shares more time will probably be spend writing the script than would be spent manually configuring the network share permissions.
Remove the everyone group from network resources.