No announcement yet.

Need advice in securing an unorganized legacy file system. Hurray!

  • Filter
  • Time
  • Show
Clear All
new posts

  • Need advice in securing an unorganized legacy file system. Hurray!

    Hello everyone! New to the forum, but I have been a lurker for some time.

    I am a new administrator over a legacy network which has a file system that is almost two decades old. My main focus right now is the security of the file system. Right now there are no established discretionary access control lists; any user logging into the network (including from our VPN) has full control of any file they choose. Needless to say, this is NOT cool, and it is an issue that I have placed at the top of my list.

    My first step was using a PowerShell string to gather a list of all of the user accounts that have not been in use for over 120 days. There were around 200 users on the system, many of which are contractors for the company who only use the Exchange OWA for e-mail, and only 15-20 of which are active users on the file system. I went through and disabled the ones that were inactive and that I knew were not associated with an Exchange mailbox. Well, of course one person called up the next day upset she could not access her required files from so-and-so's old e-mail account, so I agreed to turn it back on as long as we change the old password.

    I split everyone in AD up first by branch location and then department OUs, and now it is time to institute groups and access controls. Unfortunately, being that the users have had full range of the file system, many users are constantly accessing documents from multiple scattered locations. No rhyme or reason, just important files scattered everywhere -- primarily within the Users folder under various old employee folders. I initially set up an object audit policy to monitor the user access to the entire main drive, but I realized that this method would generate a horrifically unmanageable and cluttered event log rather quickly so I reversed it.
    Is there any simplified, manageable solution to finding out which directories each user requires access to over the course of a week? There just has to be a way to do this while avoiding a complete nightmare. I would much rather have a general understanding of the folders they need for their jobs rather than riding a help desk with my angry new friends for over a week after I guesstimate the new privileges.

    Any advice is greatly appreciated, and I thank you for your time and wisdom!
    Last edited by JRH311; 10th October 2015, 20:30.

  • #2
    FWIW, I have encountered similar and set up the following:
    New empty area - organised by department with permissions set up
    Quick training session on importance of security and proper organisation
    Old area set (advanced permissions) to read and delete only. That forces users to save into the new area.
    Make sure you get management approval before you implement this as you WILL p**s users off badly.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Ditto! Management buy-in on changes like this will be absolutely crucial to be able to enforce anything you try to employ. But the users will STILL be p**s-d off.
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **