Posted by: James Murray
Basic Security, Modern Network Architecture, Share Security
The file server role is one of the simplest roles on the network. Yet sometimes this simple role becomes very complex when we add in security principles. The modern network architect needs to understand how to do it right or get really good at troubleshooting complex security
Imagine an indoor mall. The parking lot is a huge community location. Anyone can park their bike or their car. There are very simple community rules but also very limited access to product and resources protected by the mall. Walking into the mall is still a place where most people still have access and are welcome. The rules inside the mall are stricter than in the parking lot, but are still fairly lax. As long as you don’t play in the fountains most people are welcome.
Walk deeper into the mall and the access changes. The rules seem to be stricter as a person gets closer to the actual products and assets protected and sold within the mall. The closer one approaches these assets that the mall protects, the more rules there are. Additionally with these rules there is more enforcement and punishment when rules are broken. Each inner door in the mall marks where security access heightens. At the same time, not so restrictive that people feel uncomfortable when shopping or working. Yet go even deeper into the employee areas and there are even more rules, more restrictions and harsher penalties that are more frequently enforced.
In a modern network, the security model is very similar. Full access to the corporate data is only given after a full verification of who you are. Limited access like read access to specific companywide documentation is available to everyone. Full access requires more trust as well as more security checks. Yet if designed well will hardly be noticeable. Well-designed security allows full organizational productivity. The people in the mall hardly notice the security unless they start breaking the rule. The same is true for a well-designed network. Each employee should have all the access to data that their role requires, while restricting data that isn’t required.
As simple as this may sound, I find myself cleaning up after certified network professionals who don’t understand how to build highly secure networks. In its simplest form there are three building blocks.
- File level security
- Folder level Security
- Share level security
File level security assumes a micro level of security management. In a mall, the jewelry store might use the equivalent of file level security. Jewelry is expensive, small and easy to walk out with and varies in value. Jewelry stores will go bankrupt if 10% of their inventory is lost. Therefore tracking each and every piece of jewelry is very appropriate. For most businesses though this level of security is not practical or effective.
Folder level Security is a more macro level of management. In a retail store under this model every piece of inventory has the same security procedure for keeping it secure. So rather than track every shoe lace and staple, the store builds a security model where everything is tracked the same way. Entry and access to the folder is important in this model.
Share level Security is like the door and security camera. The Share identifies who is an employee and who is not. Based on this, access to the store layout is granted based on this first evaluation. Even if you are the owner, if the share sees you as a customer or non-employee, there is no access to the employee sections of the store. Share level security is independent of file and folder security. What this means is that share level security does not consult file and folder security to determine share access. So may refuse access even when file level security allows full access.
Many security breaches happen because administrators have no idea how Share Level security works. So they give full access to all corporate shares. Giving full access to corporate shares is often the reason why someone in the internal network sees something in HR that they shouldn’t be seeing. By giving all users full access to all shares in the company, accidental breeches happen. Without closing the share permission, HR and other highly secure areas are at an extra level of security risk from accidental internal breaches. The Modern Network Architect needs to understand how file, folder and share access rights can protect the company from these types of accidental breeches.