I recently spoke with an IT administrator who had started a manual open share cleanup project—finding and locking down folders and SharePoint sites open to global access groups like Everyone, Domain Users and Authenticated Users. After removing the everyone group from several folders, they began to receive help desk calls from people who had been actively accessing data through those global access groups prior to their removal, and were now unable to perform their daily activities because they had lost access. This went on for two weeks or so—each time someone called, they had to apologize for the disruption, and quickly add that user to a group on the folder’s ACL.
According to the administrator, the manual process took about 6 hours per folder. With the number of folders they had found, this would mean about 3 months of work for 4 people–quite a time consuming effort. How were they going about fixing these manually? Here is a rough outline of the steps they used:
- Identify folders open to the global access groups, like everyone, authenticated users, domain users, and users
- Turn on object access success auditing for those folders and collect as much audit data as the server could stand
- Analyze the audit activity to try to create a list of users that access these folders
- Determine the users that have no way to access those folders other than the global access group you’re trying to remove
- Add users from step 4 to a group that’s on the folder’s ACL, or create a new group and add the users (assuming those users are supposed to have access)
- Remove the global access group
- Wait by the phone
Despite their painstaking process, the voluminous audit logs and the complexity of their permissions made it impossible to remove global access groups without disrupting their users’ workflow. That’s a lot of effort to go through to end up with unhappy users. This is one example, but IT often finds itself in this dilemma when trying to fix open shares: leave the data exposed and run the risk of data theft, loss, or misuse, or lock the folders down and risk productivity should a user or users be cut off from data they need.
In a future post we’ll talk about how to clean up open shares using the simulation capabilities available with a metadata framework.
David Gibson has more than 20 years of technology and marketing experience. He frequently speaks about cybersecurity and technology best practices at industry conferences, and has been quoted in The New York Times, USA Today, The Washington Post and numerous security news sources.