Managing Microsoft Account and File Systems Access Controls
In order to truly protect a company’s’ data, a multi-layered security approach using access controls must be developed and utilized keeping in mind that data has two states that has to be protected equally; data at rest (DAR) and data in motion (DIM). When securing DAR on a file system whole disk encryption is an essential first step followed by physical security (backups included) and the necessary access controls such as mandatory access controls (MAC), discretionary access controls (DAC), and/or role-based access controls (RBAC).
For securing data that travels through the network or through the internet (in transit) known as DIM, standard network security such as intrusion detection systems (IDS), intrusion prevention systems (IPS), and firewalls should definitely be implemented. To further layer the security in DIM, encrypting data including emails using ...view middle of the document...
Using Active Directory in the MS server environment is ideal because a company could easily manage these ACLs that define access for a particular user, group, or system. Within the ACL there are a collection of access control entities (ACE), the three main types are access-denied, access-allowed, and system audit. A discretionary access control list (DACL) could also be used to control access to specific objects either explicitly or implicitly and checks the ACE to identify which access should be given.
System administrators could also implement system access control list (SACL) for auditing rules on recording successful and failed login attempts, determining what is to be audited, and where to store it. Access controls could also be implemented for applications as well through the operating system and/or internally to the application. A company could assign an application its own user ID and create directories where an administrator could then properly grant or deny application rights.
In the Microsoft Windows workstation and server environments, file-based access controls are highly granular and an administrator could easily control objects by using both the basic and advanced rights for users and groups. Basic rights in MS include full control, read and execute, read, write, modify, and list folder contents. Advanced rights are better utilized through the MS workstations that include full control, traverse folder/execute file, read attributes and read extended attributes, write attributes and extended attributes, create files/write data, create folders/append data, delete, read permissions, change permissions, or take ownership. Advanced rights may also be granted to organizational units (OUs) that provide far more different options for administrators to organize and assign rights and users.
There are also special rights such as domain administrator for full control over all the computers in the domain, and the super administrator which is built in secret account that has full rights on the local system that can also take ownership of all the objects if necessary. These security approaches to a company’s file systems and data will provide the multi-layered security necessary to protect its critical data.