Enterprise Recon 2.8.0

Data Access Management

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.


This section covers the following:

Overview

Controlling access to sensitive and PII data is a key concept in many data protection regulations. After taking the first step of data discovery, identifying who has access to the data is necessary to understand the risk of exposure. For example, does everyone with permissions to view a file still require that access? Which files have open permissions (e.g. accessible by everyone in your organization)?

With the Data Access Management feature, users can easily:

  • View and analyze the access permissions and ownership information for sensitive data locations, and
  • Immediately take action to minimize risk by managing and controlling access to those locations from the Investigate page.

The Data Access Management feature is disabled by default for:

  • New installations of ER2 with the Enterprise Recon PRO license, and
  • Existing installations of ER2 when upgrading from Enterprise Recon PCI or Enterprise Recon PII to an Enterprise Recon PRO license.

See Requirements and Enable Data Access Management for more information.

Requirements

Requirements Description
License Enterprise Recon PRO license.
Master Server Version 2.4 and above.
Agents Version 2.4 and above.
File Systems ER2 will retrieve access permissions and ownership information for match locations in Windows NTFS, Linux / Unix and macOS file systems.
Scan Modes Data Access Management is supported for match locations that were scanned as:
  • Local scans with a locally installed Node Agent.
  • Agentless scans with Proxy Agents - requires WMI connectivity for Windows, and SSH connectivity for Linux / Unix Targets. See Agentless Scan Requirements for more information.

User Permissions

Enable Data Access Management

View match location permission details

  • Users with Report - Detailed Reporting resource permission are able to view match location permission details. See Resource Permissions for more information.

Manage permissions for the match location

  • Users with Access Control resource permission are able to manage permissions for the match location. See Resource Permissions for more information.
A Global Admin user has administrative privileges to access and configure all ER2 resources and is therefore not included in the list above.
Active Directory

Active Directory (AD) must be set up and enabled in ER2 to:

  • Retrieve detailed information on AD groups or users that have access permissions to a match location, and
  • View the groups or users in the AD domain when managing and controlling access to those match locations.

You can manage access permissions for AD groups or users by manually adding AD accounts using the <domain>\<groupname_or_username> format.

Enable Data Access Management

When the Data Access Management feature is enabled, ER2 retrieves access permissions and ownership information in scans for supported Target locations. Users can then navigate to the Investigate page to analyze these access details and take the appropriate access control action to secure access to these locations.

Users with Global Admin and System Manager permissions can enable the Data Access Management feature in the Settings > Remediation > PRO Settings page.

To enable Data Access Management:

  1. Log in to the ER2 Web Console.
  2. On the Settings > Remediation > PRO Settings page, go to the Data Access Management section.
  3. Set the toggle button to On.

Disable Data Access Management

Users with Global Admin and System Manager permissions can disable the Data Access Management feature in the Settings > Remediation > PRO Settings page.

Disabling the Data Access Management feature will result in the following:

  • Access permissions information of all current match locations will not be viewable.
  • Access permissions information will not be retrieved for match locations if the feature is disabled prior to the start of the scan.
  • Access Control Actions will be unavailable.

To disable Data Access Management:

  1. Log in to the ER2 Web Console.
  2. On the Settings > Remediation > PRO Settings page, go to the Data Access Management section.
  3. Set the toggle button to Off.

View Access Status

In the Investigate results grid, the Access column displays the number of unique users that have any level of access permissions to the match location. If a group(s) has access permissions for the given location, unique group members will be calculated as part of the total Access count.

When Data Access Management is enabled, ER2 retrieves information on AD users and user groups every 24 hours at 00:00 AM to maintain up-to-date AD account information in the datastore. This may cause the reported Access count to be incorrect if there are newly created AD user groups with Access permissions to a match location.

To view updated Access count information, wait for the periodic update of AD account information and rerun a scan on the impacted match location(s).

There are two scenarios where "Everyone" instead of the unique user count will be displayed in the Access column.

  • Windows - This applies if the built-in group Everyone has access permissions to the match location.
  • Unix and macOS - This applies for match locations that have a non-zero value for the Others permission set.

If ownership or access permissions for a match location has been modified using ER2, a notification icon Enterprise Recon Reassign Permissions icon. will be displayed in the Owner or Access column accordingly. The status of the last access control action performed for a match location will be reflected in the Access Control column.

Example

"File-B.zip" is a match location that the following groups and users have permissions to:

File-B.zip +-- Group-1 +-- Administrator +-- User-1 +-- Group-3 +-- User-3 +-- User-4 +-- Group-2 +-- Administrator +-- User-1 +-- User-2 +-- User-1

The Access column will indicate "3" for "File-B.zip" as there are three unique users who have access to the match location:

  • Administrator
  • User-1
  • User-2

"User-3" and "User-4" are not included in the total Access count as they belong to "Group-3", which is a nested group and child member of "Group-1".

View Access Permissions Details

To view the list of groups, users, or user classes that have any level of access permissions for a match location:

  1. Log in to the ER2 Web Console.
  2. Go to the Investigate page.
  3. Click on the match location to bring up the Access panel.
  4. The Access panel displays information about the owner, groups, users or user classes (e.g. Owner, Group, Others) that have access to the match location, and the permissions associated with each group, user, or user class.

Manage and Control Data Access

There are several types of access control actions that can be taken on a match location, such as modifying file ownership properties, revoking access permissions for specific users or groups, and granting access to new users, groups, or user classes.

Manage File Owner

To modify the file owner property for a match location:

  1. Go to the Investigate page.
  2. Select the match location(s) that you want to manage access permissions for.
  3. Click the Control Access button to bring up the Reassign Permissions dialog box.
  4. Click on Change next to the File Owner label to change the file ownership for the location.
  5. Select a new file owner from the list of domain or local user accounts. Alternatively, enter a new user account in the input text field and click Add.
    • New domain account: <domain>\<username>
    • New local account: <username>
  6. Enter a name in the Please sign-off to confirm reassign field.
  7. Enter a reason in the Reason field.
  8. Click Reassign.
  9. (Optional) To reset all changes made to file permissions, click Cancel to cancel the operation.
Changing File Owner for Windows Locations

For Windows locations, using the Change option changes the "Owner" attribute of the file or folder to a new user, but does not automatically remove the existing access permissions (e.g. Execute, Read, Write) for the previous owner.

Manage Permissions for Groups, Users, and User Classes

To manage the access permissions for a match location:

  1. Go to the Investigate page.
  2. Select the match location(s) that you want to manage access permissions for.
  3. Click the Control Access button to bring up the Reassign Permissions dialog box.
  4. In the Reassign Permissions dialog box, you can
    • Remove specific groups, users, or user classes
    • Modify the permissions for existing groups, users, or user classes
    • Grant permissions to new groups, users, or user classes
    • Keep or revoke permissions for existing groups, users, or user classes
  5. Enter a name in the Please sign-off to confirm reassign field.
  6. Enter a reason in the Reason field.
  7. Click Reassign.
  8. (Optional) To reset all changes made to file permissions, click Cancel to cancel the operation.
The Control Access button will be disabled if:
  • A selected match location has been removed by another operation (e.g. remediation),
  • A selected match location is a nested object (e.g. a file within a ZIP archive) and not the parent object,
  • Match locations across different file systems (e.g. Windows NTFS, Unix/Linux, or macOS) are selected, or
  • Unsupported Target locations (e.g. databases, cloud Targets, emails etc...) are selected.

Access Control Actions

Action Description Details
Remove Permissions

Remove groups, users, or user classes from having permissions to match location.

Remove existing groups, users, or user classes from having access permissions to the selected match location(s).
  1. Click the trash icon for a selected group, user, or user class.
Modify Permissions

Modify the permissions for existing groups, users, or user classes.

Modify the permissions for existing groups, users, or user classes.
  1. Click the pencil icon for a selected group, user, or user class.
  2. Add (check) or remove (uncheck) specific permissions granted to the group, user, or user class.
  3. Click Proceed.
Add Permissions

(Change)

Grant access permissions to new groups, users, or user classes.
  1. Click on Change next to the Groups/Users or Group label to change the groups, users, or user classes that have access permissions for the match location.
  2. Add (check) new groups, users, or user classes from the list of domain or local accounts. Alternatively, enter a new group or user in the input text field and click Add.
    • New domain account: <domain>\<groupname_or_username>
    • New local account: <groupname_or_username>
  3. Click the pencil icon next to a newly added group, user, or user class.
  4. Add (check) or remove (uncheck) specific permissions granted to the group, user, or user class.
  5. Click Proceed.
Reset Permissions

(Keep / Keep existing permissions)

Reset all changes (e.g. delete, add, modify) made to the existing groups, users, or user classes with access permissions to the match location(s). The Keep option does not affect the permissions for groups, users, or user classes added using the Change function.
Revoke Permissions

(Revoke)

Revoke permissions for all existing groups, users, or user classes with access permissions to the match location(s).
On Windows file systems, revoking permissions for a location where the "SYSTEM" account is a member of at least one group with existing access permissions to the match location can cause the location to become inaccessible to ER2. This may impact the ability to scan and remediate those locations successfully with ER2.
  • The Revoke option does not remove the file owner permissions for the location.
  • The Revoke option does not affect the permissions for groups, users, or user classes added using the Change function.
  • Revoking Group permissions for a Unix / Linux file system location changes the Group to root with no permissions granted.
  • Revoking Others permissions for a Unix / Linux file system location removes all permissions for the Others user class.
  • Revoking Group permissions for a macOS file system location changes the Group to wheel with no permissions granted.
  • Revoking Others permissions for a macOS file system location removes all permissions for the Others user class.