Mikael Grondahl

File Server security (Part 3) – Securing your Windows File Servers

In the two previous parts of “File Server Security” (1-2), we looked at ways for you to physically secure your files servers, making it more difficult for perps to get physical access to your servers and the data, but if they still would, we would surely make them sweat a little bit before they could “enjoy” it.

We also looked at ways to minimize the attack surface by utilizing firewalls, avoiding internet connections, getting rid of unnecessary software, stopping services, malware protection and so on…

In this third and final part of “File Server Security”, we will put the final touch on our file server security recipe, for now…

# NTFS & Distributed File System (DFS)
Restrict and secure file and folder access to specific groups or individual users by using NTFS and DFS.

DFS secures files and folders through NTFS and share permissions. Users can only access files and folders for which they have appropriate NTFS or shared folder permissions.

DFS increases the availability of the file server by allowing several distributed SMB file shares to be organized into a distributed file system, sharing the load.

# Dynamic Access Control
Dynamic Access Control (DAC) allows administrators to centrally apply access control and permissions based on predefined rules that prevents unauthorized access to your data.

DAC use centralized rules that define access conditions, these rules could compare expressions or keywords found in the content that matches a predefined list of identifiers or use conditions such as Active Directory attribute data and/or type of computing device used.

With DAC, you can allow or deny access to specific resources, and provide control over the permission and security of the data on a more granular level.

# Administration using the principle of least privilege
Avoid the use of accounts with full control privileges and implement a policy of assigning permissions to groups instead of individual users.

Only provide permissions necessary to perform assigned tasks, using the least amount of privileges principle.

Always make sure accounts with administrator privileges are protected by strong password policies, and that these password policies are enforced. 

# File Server Auditing Software
Detailed monitoring and alerting tools such as Cygna Auditor, Netwrix Auditor and Quest Change Auditor helps organizations mitigate risk of external and internal abuse and provide compliance reports in case of audits.

Auditing software helps monitor, analyze and report activities on your file servers, finding and alerting you of vulnerabilities and threats, making sure you know who is doing what, when and where, giving you insights into events such as which user is attempting to read, copy, move or delete files and folders, detecting unusual activities and monitoring if your file servers are being, or have been compromised.

# Inventory & Change logs
Make sure to keep and fill out a detailed server inventory and change log, to record and keep track of all changes made to the server, both hardware and software changes, and have the person responsible for the changes sign off on them.  This will help prevent software that is not tested and approved from being installed etc., that could potentially create security risks.

# Encrypt your Backups
Make sure you encrypt the backups of your data, and make sure to keep copies of the backups both on-premise and offsite in physically secure environments.

This was the last blog in the 3 part “File Server Security” blog series, I hope you found it informative and helpful.

There are obviously more ways than this to secure your file servers and data, but if you follow these suggestions, I’m confident that it will make it a little bit more challenging for potential attackers, external or internal, to gain access to your organization’s sensitive information.

Best of luck!