SMB Security - Display User Permissions

[jumperalex]

Hello, I've just finally gotten on the security train with all the talk of ransomware lately and housemate that just loves social media.

 

Anyway, I know I can look at the share listing and see the share's status as Public|Secure|Private but what I'd also like to see are two other things

 

1) An indicator to know if ANY user of the share is granted Write privileges

2a) a hover-over to show who those users are

      or

2b) a button to expand a share's row to display all users, their permission level, and the ability to change their share permissions right there.

  - Visually this could look much like what is done when we "compute" a share's size

 

3) In the current main share page, color code read-only and read/write (with ADA compliant icons) to make it a quicker visual scan to find users with write privileges.

 

The current way of doing things is fine with just a few shares and a few users but quickly becomes annoying / mistake prone to manage as things get more complicated. And complicated is what happens as you have to add more shares and more users to provide the granular control needed to create fire-breaks against ransomware such as only allowing each computer access to its own backup-share with its own backup user, vice granting access to the standard user, or worse guest access.

 

Related, it would be very useful, when looking at a user (or maybe even in the user tab) to have a list of that users share permissions to easily audit who has access to what. Again with color / icon cues.

[RobJ]

I like!  Anything that makes security assessment and management easier is a Good Thing.

 

It could all be displayed in a tabular form, shares as rows and users as columns (or vice verse for some with lots of users and few shares).  Include disk shares if possible, in separate table if necessary.  Include both the read-only/read-write state and the Public/Secure/Private state (color coding is always nice!).  And make all the info live, immediately toggle-able, no Apply button needed.  Then include a global button to set all immediately to Read Only (saves current config first), and if clicked again restores the previous config.  Add the ability to select by user or share, so that a whole group of users or shares could be toggled one way or another.

 

This is going beyond, something for the future, but I'd like to see options for limiting write access - time limited (on demand or by schedule) and activity limited.  Write access then could be limited to scheduled periods (e.g. a backup user given RW permission only between 3am and 3:30am on Tuesday, Thursday, and Saturday mornings).  Anyone could click for RW rights, but only for a configurable period (default of 2 hours?).  If when they don't need it, and forget to return to read-only, the system will automatically after 2 hours reset them to RO.  Plus an activity limiter choice, e.g. a backup user could get RW at 3am, but goes back to RO after 5 minutes of no I/O activity (use it or lose it!).  The key desire here is that external RW access be always limited, never stay RW (unless deliberately overridden).  Write access is given as needed, but not longer than needed.

[jumperalex]

hahaha yeah i had almost all those ideas after I posted and while I continued to re-engineer my system, but I didn't want to sound greedy

 

I was really jazzed by the idea of a scheduled r/w period for my backups. And I still would. But for now my solution is documented in the below thread where I'm seeking advise / audit of my method.

 

https://lime-technology.com/forum/index.php?topic=54210.0