removing IT support groups on folder ACL

crib bar 636 Reputation points

One of our risk teams has raised an interesting query about the necessity of support groups being on a sensitive folders access control list (on a file server). For arguments sake, domain admins. The feedback is they have access to everything, to which the response is “why”. Obviously, they have the powers to add themselves as members into others groups on the ACL to regain access, take ownership, amend root permissions etc.
But what issues (from your perspective as technical support personnel) is there in messing with permissions in a way that you remove IT support groups from file server ACL’s to please management/risk teams. I’m trying to identify the problems this would cause. Obviously, we have a duty to ensure admins aren’t abusing their global access permissions, but that isn’t the question in this case. And its more about what problems would or could it cause taking IT related support groups on folder permissions (given it adds minimal control benefits as they can add themselves back via a number of avenues).

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,000 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,748 questions
Windows Server Storage
Windows Server Storage
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Storage: The hardware and software system used to retain data for subsequent retrieval.
637 questions
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,396 Reputation points

    Hi @crib bar

    Removing the admins rights to the ACL shouldn't impact the operation of the file share from a user perspective, as along a the users are assign specific permissions to the folder and files. However, it will impact the ability of the admins to support the the users if they have issues and increase the time it will take to identify and resolve issues. Usually to address this type of risk question\concerns, visibility is easy way to address this concern. By changing the delegation model and enabling auditing you can limit access to the folder and report when access is granted. Enabling auditing on AD changes and on the server, you can record when an admin increased their rights to access the folder. Obviously this assuming you have a SIEM capturing the event logs and a delegation model in place to support this configuration.


    0 comments No comments

0 additional answers

Sort by: Most helpful