Permission propagation is when you set permissions – also called Access Control Lists (ACL) – on a folder or a drive, and the folder properties apply those permissions to all of the folders under that folder in the tree.
Because of permissions propagation, you expect that all folders in the same folder tree have the same ACLs. Permissions propagation secures your data by limiting access to the users specified in the top folder. Propagation also means that you believe all the permissions in the folder tree are the same, but there are cases where that is not true.
Get the Free Pen Testing Active Directory Environments EBook
We are going to look into permissions propagation to understand what kind of problems you could encounter, and how those problems could compromise your data security strategies.
What is Permission Propagation?
Permissions propagation is the process whereby permissions from a higher level node in a folder tree are copied to a child node further down in that same folder tree.
For example: The user has Read access to Folder A. Folder B is a child folder of Folder A. Therefore, User has Read access to Folder B.
Permissions propagation also works for new folders. If someone creates Folder C as a child of either Folder A or B, User has Read access to Folder C.
Inheritance is another term for permissions propagation.
In the above example, we can also say Folder B is inheriting permissions from Folder A.
Problems arise when you assume folders are inheriting permissions but aren’t. That could mean a huge security issue.
What are Broken Permissions?
When a folder no longer inherits permissions from its parent so that ACLs on the parent and child differ, we say that the permissions are broken or unique.
Take this example: Folder D is the parent – Folder E is the child. Folder E inherits permissions from Folder D. The ACL for Folder D is Group.
The ACL for Folder E inherited the Group, but there is also a User. So Folder E does not match Folder D’s permissions. In Varonis terms, we call Folder E “Unique.” Unique means that someone added User to the ACL for Folder E so it doesn’t match the parent exactly, but all the inherited ACLs are intact.
Broken inheritance happens when the child folder is missing permissions from the parent. Usually, you get broken inheritance from a script that overwrites ACLs and removes permissions that the child inherited from the parent.
Most Varonis customers discover broken permissions during the Risk Assessment. In fact, 58% of the companies in the 2019 Varonis Data Risk Report had over 1,000 folders with inconsistent permissions. Broken permissions is a common data security issue and one that is quite difficult to resolve. The security issue is that you expect the data to be limited access, but broken inheritance means that additional user(s) have access to data that they shouldn’t have access to.
3 Types of Inheritance
In general, a Windows folder can be in one of three inheritance states:
- Simple Inheritance: a child’s ACL is the same as the parent ACL.
- Unique Permissions: a child is inheriting from the parent, but the child has additional permissions applied directly. Changes to the parent will affect the child.
- Protected permissions: a child folder does not inherit permissions from the parent. Changes to the parent do not affect the child.
How to Fix Broken Permissions
Fixing broken inheritance is simple. All you have to do is open the permissions settings for the broken folder and remove or add the permissions to make the ACL match the parent. If you want to change permissions for the entire folder tree, change the ACLs on the top node. The permissions will propagate down to all children of the parent.
*Note: you still have to change the folders with broken inheritance manually when you change permissions at the top level.*
Now repeat that process for every folder in your network that has incorrect or missing permissions.
I think I just heard the collective groan from both of my readers.
Fixing broken inheritance is a time consuming and tedious process under the optimal conditions, and the default tools in Windows don’t make it any simpler. You could script it, but in our experience, scripts can have errors, and even if perfectly written, it still takes a long time to change folder permissions on a large scale. And there is no rollback in case things go sideways — unless you are really, really good at PowerShell.
Your best bet is to use an automated system that has advanced knowledge of the folder and permissions structure, analyzes user behaviors to know what users access what data and should remain in the ACLs for each folder.
Principle of Least Privilege vs. Permission Propagation
The goal for any permissions update project should be least privilege access, where users only have the permissions for data they need to do their job.
Permissions propagation can quickly undo the work you have done to move to least privilege. All someone has to do is add the Everyone group to a top node with inheritance on, which ruins all of your work.
The best way to maintain least privilege access and take advantage of permissions propagation to ease administration is to follow these best practices laid out below.
Permission Propagation Best Practices
- Establish role-based access control, so your Finance team has one group and the same set of permissions they need for their job.
- Empower data owners to consistently manage their group members and folder permissions.
- Enable natural inheritance from role-based, least privileged folders. For example, set up a Finance folder, grant the Finance group access, and allow inheritance to sub-folders in the Finance tree. This way, the Finance team can organize their data into different folders, and the data owners manage the permissions. The Finance data stays in the purview of the Finance team, which limits exposure to data theft from insiders and outside attackers.
- Disable inheritance from the root node of the drive to protect the role-based folders.
Managing permissions is a major part of your cybersecurity strategy. When not understood, permissions prorogation and broken inheritance will introduce the risk of data theft in places you did not anticipate. Varonis illuminates permissions issues and helps you fix them so you can move to a least privilege access position.