Page 44 - Cyber Warnings
P. 44
However, the most complex concept with reporting on groups is to get the recursive group
members, i.e., the users who are located in nested groups of the main group and who need to
be reported as well.
There are plenty of reporting tools that can get group membership recursively, though.
PowerShell by Microsoft and ADManager Plus by ManageEngine are two options.
User Rights
User rights control global access over different aspects of a domain controller, server or
workstation. User rights are configured using Group Policy, giving granular control of each
computer individually. Therefore, each computer could have a unique set of user rights, making
the reporting and configuration of these settings difficult and time consuming.
Every Windows computer comes with a built-in tool, secpol.msc, which can report the current
user rights on each computer. The tool must be run locally, but it is extremely powerful and
gives precise configurations.
Since each user right provides some level of privilege over the computer, each and every user
right should be evaluated and configured to meet the minimum requirements for server access.
Access Control Lists
Controlling access to files and folders is essential for assuring the security of data within any
organization. You need to properly configure the access control lists for your key data and
ensure that they only provide access to the appropriate people. The wrong privileges granted to
a file or folder could severely hurt, or even destroy, a company.
Reporting on who has access to a file or folder is a monumental task, due to the volume of files
and folders on a typical network. Therefore, selection of the most important data must occur,
and then those selected files and folders can be the focus of the security hardening.
There are many tools that can help report on data access control lists, but if you do not want to
purchase a tool, you can always use the built-in xcacls.exe tool, which comes with all Windows
computers.
Delegation
The concept of delegation falls under the category of access control lists, but it is a specific term
used for Active Directory and Group Policy management. Due to the complexity of Active
Directory delegation, the configuration of the delegation is typically done through the Delegate
Control Wizard.
44 Cyber Warnings E-Magazine – February 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
