In-Depth
Fixing the "Everyone" Problem in Windows Server
How to take control of default group access permissions settings for Windows Server.
By Wendy Yale, Senior Director Worldwide Marketing, Varonis
Data is at the core of every business. It must be created, stored, and shared at a rapid clip to keep pace with customers and competitors. In fact, Gartner estimates that the volume of "unstructured" data (such as documents, spreadsheets, presentations, and images) in an organization doubles approximately every three months. There's so much of this unstructured information that it accounts for more than 80 percent of all enterprise data in most organizations.
Even with regulations, industry best practices, and the best of intentions, it seems nearly impossible to keep track of who has -- and needs -- access to all of this information and who doesn't. As news articles continue to remind us, the unfortunate truth is that employees, contractors, and consultants don't always do the right thing with their access privileges.
Although most IT organizations grant access readily, many revoke it infrequently. This situation is not so much an oversight or the sign of a lax IT organization -- it is just that the technology to solve this problem in a practical, manageable way did not exist until recently.
There are many ways this situation comes to pass, but built right into the operating system is a contributing factor that nearly every Windows Server Administrator knows about. Yet although they know about it and there's nothing they did to cause it, they cannot easily fix it with conventional tools and techniques. We're talking about folder permissions for the "Everyone" group on Windows file systems.
How the "Everyone" Problem Arises
Despite all of the expertise and technology safeguards in place, major risks to unstructured data on shared file systems are still possible. When administrators set up file systems or shared drives, they leave some of the folders on those file shares open for data owners to define access permissions. Unfortunately, not all data owners take ownership of this responsibility, leaving critical information vulnerable to outside threats.
Other folders administrators lock down by assigning access permissions only to certain groups. However, over time, even the locked-down folders become open. That's because Windows Server is designed to facilitate access.
When a new folder is created, the Microsoft Windows default is to assign the "Everyone" group access permission to this folder, meaning that the folder is wide open to all users in the organization. That is not a problem as long as the folder creator goes back and reassigns the permissions, or if an administrator becomes aware of the new folder in time and restricts access permissions. Unfortunately, that's not practical given the pace of information creation and the dynamic nature of projects and teams in most organizations. As a result, chances are very good that administrators won't know about this new folder. Because they are not Windows experts, the users who create these folders know nothing about the "Everyone" group.
The Real Issue
The result of "Everyone" access is that over time, sensitive, business-critical data -- including intellectual property, client information, or other sensitive details -- makes its way into other folders just like this one, where now even more members inside and outside a specific department can access it.
The challenge now is to clean up or get rid of the "Everyone" problem. Until recently, there were only three options available to administrators.
- Remove the "Everyone" group from the folders and wait for calls from upset users to pour in as they try to access the data they need. At least that will tell you who within "Everyone" is accessing the data.
- Turn on Windows Server Auditing (which Microsoft warns against because of the performance impact) and comb through reams of logs to find out who is accessing the data.
- The unspoken option: Do nothing and hope that access proceeds without incident.
The first two options are not realistic. There would be business disruptions with either choice, not to mention weeks or months of work that no one has planned for, let alone asked administrators to perform. Of course, option three is not viable either because sooner or later something is bound to happen, especially in an environment where securities and financial data is potentially at risk. Plus, when it comes to audit time, this will all be highlighted. So what's left?
Taking Control
IT administrators and business owners can take control of the "Everyone" access problem by evaluating the right solutions to meet their needs. Here are tips on where to begin and what to look for.
- To start, companies must focus on finding a way to automate the manual process of granting permissions access by finding a solution that fits within existing business processes.
- Key capabilities to look for are solutions that provide a simple way to see the all the folders that have "Everyone" group access permissions as well as the names of all users accessing these folders.
- From there, business owners and IT administrators need to be able to quickly and easily reassign permissions to only the people who need access without disrupting that business.
- Look for capabilities such as modeling permissions changes. Examining "what if" implications of reassignment come in handy to ensure that any changes you make will be seamless to all users involved.
- Once you're able to fix the "Everyone" access problem, your investment should also put you in a position to keep your environment clean and organized each day forward.
While "Everyone" group access is a pervasive problem, it's no longer an impossible one to solve. Fortunately enterprises have access to the tools they need to be proactive in managing access privileges. By taking a proactive approach, IT administrators and business owners will have peace of mind knowing that only the right people have the right access to the right information. That kind of security is priceless.
Wendy Yale leads marketing and brand development for global growth efforts at Varonis. She is a veteran brand strategist with 16 years of marketing experience. Prior to Varonis, Wendy managed the global integrated marketing communications team at Symantec. She has developed projects for organizations such as the University of Hawaii at Manoa, Film and Video Magazine, amd Aloha Airlines. Wendy has held senior posts at DMEC and ReplayTV and holds a B.A. degree in Geography from Cal State Northridge. You can contact the author at wendy@varonis.com.