By Rick Epstein
ResolvIT Inc.
This post continues the list of common security mistakes begun in my earlier post, Abuse of the Everyone Group.
Content is an asset. It has value for your organization, is frequently subject to regulatory compliance requirements, and can cause damage to your organization if it falls into the wrong hands. Securing content requires your utmost attention.
Mistake #4: Not securing all content within the CMC
ResolvIT Inc.
This post continues the list of common security mistakes begun in my earlier post, Abuse of the Everyone Group.
Content is an asset. It has value for your organization, is frequently subject to regulatory compliance requirements, and can cause damage to your organization if it falls into the wrong hands. Securing content requires your utmost attention.
Mistake #4: Not securing all content within the CMC
You should be able to have confidence that any
user logging in to the CMC can only see what you want them to see, and perform
only those actions you want them to perform.
Mistake # 5: Setting explicit denials
Mistake # 5: Setting explicit denials
There may be a place for explicit denials
somewhere in your security model, but as a rule, you should avoid them like the
plague. They are just too difficult to document. Once you set explicit denials,
undoing them can be difficult. It's very difficult to know what unintended
consequences you've unleashed through the cascading effects of explicit
denials.
Mistake #6: Breaking inheritance without a clear plan and good documentation of such
Mistake #6: Breaking inheritance without a clear plan and good documentation of such
Users will potentially have new rights which
are not controllable from a higher folder and/or group level. An administrator
would likely not be aware that this situation exists and would mistakenly think
that content is secure. In other words, if there is a parent folder which has
subfolders and the parent folder has inheritance broken, that folder and its
subfolders will have a set of permissions that are likely not consistent with
all desired security settings and certainly different from those on folders
levels above them.
Mistake #7: Not knowing who has rights to what content and what a user can do with that content
Mistake #7: Not knowing who has rights to what content and what a user can do with that content
What if granular rights have been set? What
if explicit denials have been used? What if inheritance has been broken? Any
one or more of these leads to confusion and not only makes maintenance
difficult but makes it nearly impossible to know who can see and do what. Ask
yourself, "What is the summation of all rights for this user on this
object?"
Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at repstein@resolvitinc.com.
Are you aware of other common security mistakes, or do you have questions about what is written here? Use the Comments section for this post, or email me directly at repstein@resolvitinc.com.
More common mistakes in my next post.