Windows 7: Take Back Control by Managing Windows Access Rights

Managing access rights to Windows can be a challenge, but it’s easier if you have a clear view of your infrastructure and protocols.

David Rowe

When it comes to access rights, you’d think a deny rule would always take precedence over an allow rule, wouldn’t you? Most often, it doesn’t—at least not in Windows. This quirky hierarchy contributes to the challenge of effectively managing Windows access rights.

There are myriad components involved in managing the permissions for any one group or user account. This can be problematic in this age of regulatory compliance. You’re held increasingly accountable for providing an accurate assessment of access rights, assisting security auditors and maintaining a secure environment.

As daunting as it seems, there are several steps that you can take to regain control of Windows access rights, improve security and lower compliance costs. First, you have to know what you don’t know. Let’s check your Windows Access Rights IQ:

Question 1. True or False: I have a pretty good idea of how many security groups there are in Active Directory.

  1. I know exactly how many security groups there are
  2. My guess would always be within 10 percent of the actual number
  3. My guess would probably be +/- 50 percent of the actual number

Question 2. Complete this statement: I believe that the number of security groups I have in Active Directory is…

  1. Low; I clean up old groups once a year or more frequently so I’m on top of it
  2. Probably a 5-1 users-to-group ratio
  3. If we didn’t need them, I’m sure someone would’ve deleted them

Question 3. Complete this statement: When it comes to managing and removing Windows access rights …

  1. I’m an expert; I know how rights are granted so when I clean them up, they’re cleaned up
  2. I think I know what I’m doing, but I’m flying a little blind sometimes
  3. I have a hands-off policy; I don’t want to limit anyone’s ability to get the files they want

Question 4. True or False: We have an easy way to perform rights attestation.

  1. Yup—we have an organizational requirement to do it on a predetermined frequency
  2. We’ve done it a few times in response to an event, but it wasn’t easy
  3. We talk about it occasionally, but I don’t think we’ve ever actually done it

Question 5. How certain are you that you know who can change rights and whether it’s done appropriately?

  1. I know when every change is made and exactly what happened; any critical notification is e-mailed to me
  2. I might have the ability to track certain changes by looking at logs
  3. I’m not sure how I’d figure it out

Question 6. Where is your company’s sensitive data located?

  1. Saved only in a single, highly secure location with secure access controls in place
  2. Saved in a number of somewhat organized file shares that are accessible in various ways to the employee population
  3. Spread across numerous unknown servers in unknown folders

Score Yourself

In a perfect world, you would’ve answered “A” on all of the preceding questions. Odds are—and be honest—you didn’t. For most of you, there were a few “B” or “C” responses.

Most of you probably have a good understanding of the state of Windows access rights when it comes to assigning and denying permissions. There’s often a bit of confusion, though, around the understanding and reporting on who has access to what files and how that access has been managed over time. This confusion typically stems from constant employment changes and role movement throughout an organization. This ebb and flow can lead to users with inappropriate group memberships, dormant accounts and groups with circular access, among other conditions.

Even a perfectly configured file system is subject to entropy over time. Don’t be lulled into a false sense of security. You have to actively monitor, evaluate and manage access rights. That typically requires some sort of investment in automation.

Raise Your Access Rights IQ

When we’re talking about access rights management, we inevitably have to address group and resource management. Most companies have groups of people working together and contributing to any number of projects. Over time, projects and employees get shifted around.

Because of this, some people end up with clearances they shouldn’t have and some resources fall into disuse. Employees with inappropriate access rights and resources no longer in use represent an internal security threat. That threat is particularly dangerous because you probably won’t realize it until it’s too late.

Group and resource management is an effective way to scan for hidden threats. Employees join and leave the company, mergers and acquisitions happen, and departments split and regroup. In short, the organization invariably morphs over time. You may add permissions to meet immediate requirements, hit deadlines and make life easier. However, all those ad hoc permissions continue to accumulate and never get cleaned up, which leads to an unstable environment.

A recent scan of a large company’s infrastructure revealed that there were 60,000 Active Directory groups for 80,000 employees (a 4-3 ratio). Furthermore, almost a third of those had one or zero members. Before you chuckle to yourself, those same scans performed on organizations with 50 to 100,000 users showed that most of those organizations had at least one group for every two employees. Many of those groups had fewer than two members in them. This type of rights proliferation is quite common.

Making matters worse is that Windows access rights are granted based on nested groups a dozen or even a hundred layers deep. Employees can have multiple identities and levels of rights for different systems they use. Different departments and administrators often create and manage these rights autonomously, so policies may not be consistent across an organization.

The end result is massive complexity, inability to know what a given user or group could access, and inability to report on who has access to a given set of files. This can lead to failed audits, costly audit response, loss of sensitive data, and the inability to protect intellectual property.

For example, an office manager should only have rights to view files relevant to his office. He may have worked on a project with executives at corporate headquarters at some point, so he may have been put into an executive-level permission group. Without actively monitoring access rights for this group, an IT administrator may find this manager on his way out with sufficient access to be able to provide the competition with competitive intelligence.


The first step is to know every level of your access rights reality. With the right tools, it’s not too difficult to quickly find groups with low member counts, rights to resources with low utilization, dormant accounts and other information that will help you get a lay of the land. Prepare to grab the low-hanging fruit.

Quickly identify what rights exist at any level (share, folders, files, groups and users). Simply being able to provide precise answers can reduce audit costs, increase the chance of passing audits, improve security, and reduce the amount of time spent researching and responding to questions.

Clean Up

Put a process in place to clean up objects and users flagged as having inappropriate access rights. Get your systems to a known “good state.” Clean up dormant accounts and obsolete groups, remove inappropriate group memberships, ensure that all users have appropriate password policies, and monitor use of smartcards. Delete redundant or unused files. This will help not only shore up security, but also save money in storage costs.

After tackling the easy targets, move to more persistent problem areas, like orphaned Security Identifiers (SIDs) and circular groups. Identify which sensitive data has a high amount of permissions, which files haven’t been touched in more than a year, and which users have too much access. The right tools can simplify this process.

Users with direct assignments may seem like common practice, but in reality it should be the exception. Group assignments keep access rules to a minimum and are easier to track. You have to individually monitor individual access rights, which often results in orphaned SIDs. If you have more individual or direct user assignments within a file system, it will be harder to clean and more porous.


Monitor activity over time. Track group membership changes, changes to access rights, what files are being accessed and by whom, user changes and so on. You should not only track these types of changes, but also automate real-time analysis. That way you can log events, and are better able to respond to critical ones.

You can automate frequent, routine monitoring of dormant accounts, groups with no members, orphaned SIDs, circular groups and more. Perform routine, scheduled attestation by the business unit owners of user permissions and activity on sensitive files and folders. You should also monitor any changes to groups that grant access to sensitive files or business applications.

It’s important that Windows access rights move at the same speed as business. A fluctuating work environment leads to an erratic access environment. Users may be added, but old users are rarely taken off. Each dormant user poses a potential security threat. Daily or weekly access rights maintenance can significantly reduce this threat. It also helps keep the file systems more organized.

Your company’s file system will be more secure and you’ll have more control over permissions—and ensure your status as a Windows access rights management genius.

David Rowe

David Roweis the CEO of NetVision, a privately funded company providing compliance and control solutions for enterprise access auditing. Reach him at