Best practice : Filer management

windows server

Filer management is a sensitive activity due to the following reasons

  • File servers datas are critical for the business
  • File servers are used by the applications

One critical point is also related to the security management (in order to ensures that data are well protected avoiding rogues access). The security is also part of the disponibility of the service.

serveurs eb datacenter

Share Naming

The share name should be keep as short as possible without spaces on it and match with the name of the folder on the disk. Of course in case of hidden folder you will need to complete share name with “$”.

One folder = one share, do not share again (even under the share).

For applicative shares the name should allow the identification easyly with :

  1. Name of the application (by using the CASEWISE code)
  2. Environment  Datas should be segregated across shares for instance one share for Production and another one for preproduction.
  3. In order to enhance the lisibility separate fields with _ for instance.

Applicative shares must contain only applicative datas (no mix with corp / group datas or end users datas)

 

Share Usage

The usage of a share must be clearly defined with the client. Usage, purpose… In case of shares for application it’s recommended to ensure:

  • The structure of data
    • Folder tree depth
    • Number of files (hundreds, thousands, millions)
    • Number of simultaneous connections
  • Change/ update frequency

homme sur ordinateur avec mot securité

Security and ACL management

The use of built-in groups is prohibited for granting access to users

  • No Everyone
  • No Authenticated Users
  • No Anonymous
  • No Domain Users (or default Server\Users group)

 

If you need to grant access to a large set of users by using these groups please refer to your local compliance officer.

Active Directory Groups must be created for each share (no reuse of groups across multiple shares) and the share name must be visible in the group name. Never use server local groups to grant access to a share (always domain local or universal groups)

The group name must reflect the rights on the share (the group name should ends with _R for Read , _RW for Read/Write, _L for list only).

Note that giving access with Full Control is not allowed to end users. Full control is only permitted to Administrators.

Do not configure permissions at this level; Only NTFS rights must be used.

Never grant access directly to a user (Except for home-directories).

Share management recommendations

When a share is created it’s important to identify the stakeholders that are reliable in the time.

  • For an application identify the owner
  • For a data share the business line associated

This will help to identify the validator for granting access and the contact in case of operation over the share.

In case of reorganization in a department the best practice is to try to recreate a new folder structure with appropriate rights:

  • Preventing unwanted access
  • Ensures that only validated users can access to the data
  • Fit with the business needs

 

Even if this could be heavy it’s the best way to avoid historical problems if an audit occurs.

When providing a share resource the best practice is to challenge the requester regarding the size.

Quotas must be configured for all shares, according to business needs, if no quota is configured takes the actual size and set a quota at 20% more.

When possible, try to configure an alert by E-Mail to the owner if the quota (85% for example) in order to be proactive and avoid a blocking saturation. The monitoring of disks saturation should be realized on a regular basis (follow of disks usages and quotas occupation). Even if it’s possible to overprovision quotas it should be done with caution.

ADCS PKI microsoft cluster qorum windows

Filers infrastructure disponibility and security

The file server infrastructure that hosts the shared folders in production, whatever the solution, must meet the following requirements:

  • DR compliant with a RTO at 4hrs MAX and a RPO at 30mins MAX.
  • Security Patch management must be realized at least on a Quarter basis.

Backups are mandatory and the strategy must be shared with the client in order to avoid misunderstood (especially regarding the recovery time in case of issue). Try to limit the size of disks / volumes in order to prevent a too large downtime in case of scandisk or partition corruption (less than 2 TB per drives for Windows 2008R2 and up to 4TB per drives with Windows 2012R2 thanks to chkdsk online improvments).

Regular IRVS scans must be realized in order to identify potentials vulnerability.

Whatever the solution retained to host the files servers it must provide an antivirus solution in order to protect the resources against virus.

As part of the best practices it’s important to segregate administration in order to ensure that peoples who are performing administration tasks only have the proper level of rights over the system (no need to be full administrator to create a share, change a quota or modifying permissions). Always keep in mind the less privilege principle.

All request to access to a file share must be traced, at least through a ticketing tool (such as service center or equivalent solution) or by using GRANT. For each request a validation of the owner of the data or the requester manager is necessary.

A process to automate GRANT workflow in order to have a fully automated process (up to the user account addition / removal in the resource group) with consistency checks between the declared access in GRANT and the group membership (with dynamic correction).

The solution providing file server’s services must provide audits in order to retrieve who have make changes over a folder. Standardized VARONIS Datadvantage for this purpose. This solution allow administrator to track users activity for compliance needs but also help administrators to identify old data’s (never accessed since 18 month for instance) for archiving purposes.

A review of all shares to prevent unwanted access is mandatory. The aim of this review is to ensure that no open ACL are configured (Everyone, Authenticated users, Domain users…).

Laisser un commentaire