What does this person have access to? How have permissions on this file changed recently? These and many other questions are common in the world of file and folder permissions management, yet Windows’ native toolset makes them incredibly difficult to answer. Privilege explorer, part of the Blackbird Management Suite (BBMS), is designed to answer exactly those questions – and many more.

What does this person have access to? How have permissions on this file changed recently? These and many other questions are common in the world of file and folder permissions management, yet Windows’ native toolset makes them incredibly difficult to answer. Privilege explorer, part of the Blackbird Management Suite (BBMS), is designed to answer exactly those questions – and many more.

Knowing “who has access to what” in your organization is more than just a nice piece of management information: For most companies today, it’s a critical element of providing security and controlling data leakage, a growing concern in modern business. For many companies, knowing the answer to that question is mandated by data governance rules in legislation or industry requirements. Further, you’ll also need to ensure that only those people who need access to a resource have access to it.

The key to Blackbird privilege explorer’s capabilities is its central database, which stores all permissions information from across your organization’s file servers. Unlike many permissions management solutions, privilege explorer doesn’t force you to inventory every file on every server; instead, you’re free to designate exactly what files and folders need to be included in the central database. This can include an entire server, a shared folder, or a specific folder path. If you’ve consolidated sensitive information into a small number of places, then privilege explorer can be focused on just those areas – or, of course, it can inventory every file on every server, if that’s what you need.

Privilege explorer also connects to one or more Active Directory domains, enabling it to translate native Windows Security Identifiers (SIDs) into actual user and group names. The directory connectivity also enables the product to expand groups – even deeply-­‐nested groups – into users, giving you the ability to see who has permissions on given resources, rather than which groups have permissions. This deep knowledge of group membership permeates the software, giving you more-­‐detailed and more-­‐useful information throughout.

Privilege explorer leverages Microsoft SQL Server Reporting Services (SSRS) to produce powerful “snapshot” reports of permissions from across your environment. See who has access to a given set of resources. See what resources a given group of users can read or write. See what files’ permissions have changed recently. Anything. With both built-­‐in and custom reports, you can find any permissions-­‐related information you need. Thanks to SSRS, reports can be delivered online, via e-­‐mail, and so forth, and can even be generated automatically for recurring reports.

Having access to this information through SSRS can vastly simplify and streamline work tasks for your IT operations staff, information security team, and for both internal and external auditors. Poorly-­‐equipped companies can spend days or weeks assembling this information for auditing, management, or forensic purposes; with privilege explorer, it’s just a few mouse-­‐clicks away at all times.

As powerful as its reports are, the real heart and power of privilege explorer comes from its interactive Views. These views are literally an ordered glimpse into the central permissions database, enabling you to discover nearly any information you might want. These views can be the starting point for powerful, task-­‐focused exploration that helps operations staff, security teams, and auditors work faster and more securely:

• Use views to perform forensic analyses, quickly identifying changed permissions and potential data leakage.
• Views can instantly identify the exact resources that a former employee had access to, so that you can ensure the security of those files or perform forensic analysis in the event of a breach.
• Security reviews are faster with views, since you can quickly determine the minimum set of privileges a group or role might need, and then ensure that only those privileges are in place.
• Views enable you to identify unnecessary permissions – such as everyone in a group having full control over a set of resources – so that permissions can be tightened and cleaned.
• Regular use of views support routine permissions reviews, enabling your team to ensure that best practices – such as never permitting “Full Control” or the “Everyone” group on a resource – are being followed.
• Use views to see what unintended access an employee may receive if they’re added to a particular user group 
• Routinely conduct security reviews of access permissions on sensitive files and folders 
• Views let you safely migrate files and folders without causing users to lose access, because you’ll know exactly what access they should have

Views are organized into folders and sub-­‐folders, and each folder can have its own set of permissions. That controls who can utilize the view, thus helping to ensure privileged information isn’t exposed to unauthorized users. Further, a user who is utilizing a view can refine its contents to discover specific information, but they cannot expand the scope of the view – further ensuring that the view doesn’t accidentally reveal information to the wrong person.

A view’s definition controls what data appears within the view. You can configure a view to only present permissions information related to:

• One or more specific users or groups
• Specific permissions, such as “Read” or “Write”
• Permissions contained on specific file servers
• Permissions on specific shared folders, file paths, or other objects
• Specific time ranges or permissions collection periods

Again, users of a view will always be able to refine the results they work with to include less information, but the top-­‐level scope of a view controls the maximum amount of information it can contain. For example, users of a view could choose to filter out computers that they weren’t interested in, and have the freedom to filter on any other criteria to drill down into exactly the information they need.

From within a view, you can browse the objects (files and folders) that the view presents much as you would explorer the real file system in Windows Explorer. For any given folder or file, you can choose to view:

• All permissions
• Inherited permissions
• Applicable (effective) permissions
• System-­‐assigned permissions
• Permissions that have changed

Color-­‐coded permissions draw your attention to changes – including some kinds of changes that you might not have expected:

• Red indicates a permission that has been removed since the previous inventory. You can right-­‐click these to roll back the change and restore the missing permission.
• Green indicates a new permission that has been added since the previous inventory. You can right-­‐click these to roll back the change and remove the new permission.
• Blue indicates an effective permission change. This isn’t a change in the actual permissions assignment, but rather a change to a group membership, thus granting permission to an additional user or removing permissions from a user, depending upon how the group was changed. Double-­‐clicking reveals the changes.

An individual permission can also be compared to the most recent inventory collection, or to a prior inventory collection, to get an authoritative answer to the question, “what changed here?”

Within a given path, you can get a list of applicable permissions. Simply select the user – including special accounts like “Everyone,” and you’ll see the applicable permissions for that user or group account.

Privilege explorer’s ability to retain past permission sets means you’ll always be able to track changes over time, prove past compliance with security rules, and even conduct forensic investigations (“how could that user have gained access to that file?”) more easily and more quickly.

Many of today’s companies are faced with increasing industry and legislative requirements, and Blackbird privilege explorer is designed to help you meet and maintain compliance with those requirements. Specifically:

• Privilege explorer helps meet several key requirements of the Payment Card Industry’s Data Security Standard (PCI DSS), including: