File Share Permissions - WST

During our IT audits, we consistently find file shares containing sensitive information with poor access restrictions. Most of the time, the super sensitive folders like “HR” or “Finance” are locked down, which is obviously good. But, think of the “Shared” drive that everyone has access to in your company. Is it the “Wild West?” Go peek in there, really look around – bet you’ll find something you wish you hadn’t.

At least semi-annually, use an account with minimal permissions (no special security groups) to browse file shares and discover where permissions may not be as restrictive as they should. If this user can see it, everyone in the company can see it. Identify and secure what you find and communicate with the relevant departments and employees about putting things where they are supposed to go. Resist the urge to say “Well, they can get that information in this other system, so it’s not a big deal to see it here.” Trouble with that is, that “other system” probably has access controls too, so why not just keep it safe there?

Finally, in addition to helping ensure least privilege access to sensitive data, strong access controls on file shares can also help to limit the impact of some types of ransomware that can only encrypt files accessible to the victim who triggered it.