Despite the growth of platforms like SharePoint Server and SQL Server, most companies still store most of their data in simple files and folders, on file servers, using Windows’ shared folders functionality to make that data accessible to users. 

Despite the growth of platforms like SharePoint Server and SQL Server, most companies still store most of their data in simple files and folders, on file servers, using Windows’ shared folders functionality to make that data accessible to users.

From a security and auditing perspective, Windows’ file system permissions are a nightmare. They’re completely distributed, meaning each file keeps track of who has what access to that file. With permissions inheritance, any given file might not even “know” who has what access to it; that access might be derived from a parent folder. Determining who has access to what, what permissions a given user has throughout the organization, or what permissions a user has had on a given resource – these are all difficult questions to answer. Yet they’re the questions most frequently asked by auditors and forensic investigators. In fact, for most companies’ internal security requirements, as well as outside requirements imposed by industry rules or legislative action, you must be able to answer these questions.

One option, of course, is to have countless administrators spend countless hours combing through permissions dialog boxes to manually compile the information you need. To call that approach “impractical” is, of course, an understatement. Instead, you’re going to need a tool capable of centralizing your resource entitlements, and a way to draw reports out of that centralized database. You’ll find yourself answering five basic questions about your file and folder permissions.

You’d think that the native Windows permissions management interface would at least make this task easy – but it doesn’t. Most organizations assign permissions not to users, but to groups, and the native interface doesn’t provide any means of expanding group membership to show you what users effectively have permissions on a file. Looking that information up yourself can be difficult, because groups can contain other, nested groups, meaning you can spend a long time digging through all the group memberships to find the actual users who can access a given resource.

What’s needed is a tool that can inventory permissions, check with Active Directory to expand group memberships, and report on the actual users who have access to a resource, either through direct permissions assignment or through group membership – no matter how deeply that membership is nested.

It’s entirely impractical to use Windows’ native tools to inventory a given user’s access across your entire organization. Much of a user’s access will come through group membership, so you’d first have to enumerate every group they are a member of – even if membership comes from a nested membership within another group or series of groups. Then you’d have to manually track down every file an folder to which that user or any of their groups have been given permissions. Not impossible – but completely unfeasible, given the completely-­‐distributed nature of Windows’ file system permissions.

What you need is a tool that can bring all the permissions into a single database. Then, it’s relatively easy to expand a user’s group memberships and create reports that include every file or folder that the user has any kind of access to.

Compliance auditors have a dislike of “snapshots,” because they reflect only the current point in time. Auditors also want proof that the environment has been compliant before the snapshot was made. In other words, they want to know that permissions are compliant and that they have been compliant. Unfortunately, Windows doesn’t natively store historical permissions, making this an impossible task.

With the right tool, however, this task becomes easy. By inventorying permissions into a central database, you can simply retain past permissions information as well as present. Creating reports that include ranges of time becomes straightforward, and auditors – or whoever needs the information – can quickly see how permissions have changed over time.

There’s a catch here: Some products of this kind focus entirely on the permissions actually assigned to the file. That does not, however, answer the question “who had access to this file in the past,” because a user may have gained access to the file through membership in a user group. A good product will also track group membership changes, and will include the effective permissions that have changed over time on any reports.

Another question beloved both by auditors and by forensic investigators responding to a security incident. This is tremendously difficult to accomplish using the native Windows tools, because you’d need to look at each and every file independently – not something the operating system is designed to do well or quickly. Again, the question of group membership and nested groups complicates the issue.

However, with a centralized database of permissions, answering this question is easy: Simply create a report that contains the permissions you’re interested in, such as “read access,” and let the report run. With a tool that is also capable of expanding group memberships to discover the actual users who have effective permissions on a file, you’ll be able to quickly answer this question.

The leading cause of trouble in an IT environment is change, and when something goes wrong troubleshooters’ first question is often, “what changed?” If a user suddenly can’t access a file, knowing how permissions have changed is crucial to fixing the problem quickly. Unfortunately, with no knowledge of past permissions, Windows’ native tools are of no help.

If you are inventorying permissions into a central database and storing historical information, however, then this is an easy question to answer. Simply indicate the file or folder you’re interested in, and compare its most recent permissions inventory to one or more inventories in the past. You’ll quickly see the timeline for permissions changes on that resource. With the right tool, you can even roll back recent, unwanted permissions changes to automatically fix the problem.