Now that you ve secured the Active Directory database and created an efficient group structure for your organization in Chapter 8, Securing Active Directory, the next step is to actually secure the files and folders themselves . Windows permissions are discretionary , which means that users with the Change Permissions or Full Control permissions or users who have ownership of a file or folder can change its permissions to their heart s content. With this in mind, you should design a permission scheme that will provide sufficient access for end users to do their jobs, but not unnecessary permissions that might affect the security of your overall network.
Windows Server 2003 establishes a default permission structure when you first install the operating system, but you might need to change these defaults to meet your needs. In this chapter, we examine some common risks that can affect your file shares, such as data corruption caused by viruses or security breaches arising from incorrectly assigned permissions. Then, we ll look at ways to design a permission structure for the files and folders in a large, multiserver environment, as well as best practices for securing the Windows Registry.
The last topic we ll talk about here is designing a secure backup and recovery strategy for your network resources. The disaster recovery process is really your last line of defense where security is concerned ”if all else fails and your data has been compromised somehow, you can turn to your backup tapes to restore anything that has been lost or corrupted. However, what if your backups themselves create an avenue for attackers to compromise your network? We ll look at ways to secure the backup process itself, including physically securing backup media, and assigning rights and permissions to perform backups and restores in a secure manner.