Контроль доступа

[Vims]

Есть ли какой нибудь недорогой метод котроля доступа к folders and subfolders на предмет удаления.
Папки физически расположены на NAS, потому windows auditing не поможет.
Може у кого есть опыт
Пасибо

[lavep]

отрывок из http://searchStorage.techtarget.com/mag ... 94,00.html

CIFS and NFS file-system security
Because NAS is accessed via NFS and CIFS file-systems protocols, understanding how these two protocols handle access will help you properly secure files and shares.

In the case of CIFS (Windows), security information for a user is contained in an access token that consists of the user's security identifier (SID) and group identifiers. The NAS gets the token from the domain controller and typically caches it throughout a user session. Information about who can access a file or share is stored as meta data in the file system itself and is contained in the file's security descriptor, which comprises the owner SID, group SID and an access control list (ACL). The ACL can contain several access control entries (ACEs) that specify the users and groups who can access a file/share and the type of access.

Similarly, when NFS clients access a file with Unix security information, the NAS checks the user's credentials against the file's security information to determine whether or not an operation is permissible. The file security information comprises a user ID; group ID; and read, write and execute permissions.

As most non-Windows NAS systems--such as BlueArc Corp.'s Titan, EMC Corp.'s Celerra and Network Appliance Inc.'s filers--support both NFS and CIFS, these multiprotocol NAS systems provide a mapping mechanism that allows NFS clients to access files written with CIFS clients and vice versa
Access control
While network security restricts the ability to communicate with the NAS device, authentication and authorization protect files and shares from being accessed and manipulated by unauthorized users. This is no different from protecting regular file servers and, more than in any other area, security policies play an instrumental role in regulating user access and permissions.

Authentication is the process of determining who the user is by verifying user credentials against a central repository that maintains user names, passwords, security identifiers (SIDs) or user ids (UIDs), as well as group membership information. User credentials are akin to keys that open the door to your data, and protecting these keys and reducing the risk of someone guessing passwords is critical. It goes without saying that securing the central repository of user credentials, such as Active Directory, is of utmost importance. Keeping it properly patched, making sure it has up-to-date virus and malware protection, and limiting administrative access to it are all essential practices.

Security risks around authorization are likely to occur because of improper provisioning. Without strong policies and procedures, users may have inappropriate permissions or get access to files they shouldn't see.

A few simple guidelines can prevent your losing control of the data-access provisioning process. Any access grant or change should only be performed after proper approval. Take advantage of security groups and roles; with the exception of user directories, data is typically accessed by more than one user. Don't grant access to specific files; instead assign permissions at a folder or share level. Default permissions should always default to deny rather than permit. "We default to having no access unless explicitly granted, and we try to not default anything to open but to closed," says Bob Lockhart, security portfolio manager, EDS.

You should also periodically conduct information-access audits that require data owners to verify that the current permission grants are correct. These simple steps will not only make access to data on your NAS more secure, they'll be tremendously helpful for regulatory compliance audits like Sarbanes-Oxley.

А вообще аудитинг зависит от модели и производителя. Так что детали давай, если требуется более обстоятельный ответ

[lavep]

И еще в догонку
Policy management software, or policy managers, bring a layer of intelligence to the storage infrastructure, providing guidelines that dictate what data to store, where to store it, when to move it, and when to dispose of it. Policy managers must support a wide range of data types including structured data such as databases and email, unstructured data such as documents and rich media, and semi-structured data such as spreadsheets. Policy managers must also rely on heterogeneity to support a range of storage tiers and systems, automatically moving data between tiers -- and finally to archival storage over time as policies dictate. Policy managers must also scale to accommodate huge numbers of files across hundreds of terabytes of storage, and maintain copious records of every activity to address compliance needs.
The product snapshots below consist of specifications for a cross-section of policy manager products. The products listed were selected based on input from industry analysts and SearchStorage editors, and the specifications are current as of March 2008.

Product Snapshot #1
-----------------------------------------------------------------------------------------------------------

Product: Abrevity; FileData Manager

Data Types: Supports unstructured (file), semi-structured (email), and structured (database) data.
Data Hold: Yes; can set legal hold capabilities.
Chain of Custody: Full chain of custody and auditing
Retention/Deletion Features: Set and update retention date/time based on an event or policy parameter; Delete or shred after retention expiration.
Discovery Features: Full discovery of metadata and content. Ability to export results for use by other products.
Reporting and Logging Features: Comprehensive reporting engine with ability to create custom reports; verbose logging and auditing.
Agents: None
Scalability: 20-30 TB per FileData Classifier; up to 50 FileData Classifiers managed by a single FileData Manager.
Archiving Platform Integration: Hitachi Content Archive Platform (HCAP), and any archive product supporting CIFS, NFS or HTTP.
Requirements: Dual-Core Processor, 2GB RAM, 2 Internal HD's, and Windows 2003 Server.
Base Cost: $30,000 for first FileData Classifier w/ 5 TB of management. Additional TB's or Classifier node is $3,000.
Detailed Specs: http://www.abrevity.com/software_fdm/


Go to beginning
-----------------------------------------------------------------------------------------------------------

Product Snapshot #2
-----------------------------------------------------------------------------------------------------------

Product: ByCast Inc.; StorageGrid software

Product details not available at this time.

Detailed Specs: http://www.bycast.com/products/storagegrid_overview.asp


Go to beginning
-----------------------------------------------------------------------------------------------------------

Product Snapshot #3
-----------------------------------------------------------------------------------------------------------

Product: IBM; DR550

Data Types: IBM System Storage DR550 supports all data types, structured or unstructured.
Data Hold: Yes; DR550 has a Deletion HOLD feature which makes the selected content be protected against the normal end of life (policy expiration) process.
Chain of Custody: Not provided
Retention/Deletion Features: The policy-based, archive data retention capabilities are designed to support non-erasable, non-rewritable data storage, meaning it is designed to prevent deliberate or accidental deletion of data until its specified retention criterion is met. DR550 enables management of data that has no explicit retention period, such as employee (as long as employed) and customer (as long as account is open) data, through an event-based records management feature. DR550 allows a designated object or group of objects to be protected against the normal end of life (policy expiration) process by using a deletion hold management feature. The internal management system is hardened to prevent any system administrator deletion whether intentional or inadvertant. DR550 has encryption options for added security, and also offers shredding of sensitive data as an option.
Discovery Features: Discovery is done via the content management application.
Reporting and Logging Features: Examples of messages sent to the activity log include: When client sessions start or end, when migration starts and ends, when backup versions expire, what data is exported to tape, when expiration processing is performed, what export or import processing is performed. An API application can choose to log events (e.g. retention event, delete failures) into the activity log.
Agents: IBM System Storage Archive Manager client required with the content management application when using the SSAM API to send objects to the DR550.
Scalability: DR550 can scale up 168 TB with disk storage and petabytes with attached tape system. A large DR550 configuration with a 300 GB database stores approximately 500 million objects.
Archiving Platform Integration: DR550 integrates with the major archiving applications in the marketplace (see the list at: http://www-03.ibm.com/systems/storage/d ... terop.html). This is direct integration to the DR550 client. System also supports NFS/CFS file interface through DR550 File System Gateway which broadens the application support option significantly.
Requirements: None
Base Cost: DR550 model DR1 starts at $26K US list price.
Detailed Specs: ftp://ftp.software.ibm.com/common/ssi/p ... 44USEN.PDF


Go to beginning
-----------------------------------------------------------------------------------------------------------

Product Snapshot #4
-----------------------------------------------------------------------------------------------------------

Product: Solix Technologies Inc.; Enterprise Data Management suite

Product details not available at this time.

Detailed Specs: http://www.solix.com/enterprise_data_archiving.htm


Go to beginning
-----------------------------------------------------------------------------------------------------------

Product Snapshot #5
-----------------------------------------------------------------------------------------------------------

Product: StoredIQ; Information Governance

Data Types: Establish policies for any unstructured electronic data, including files, documents, archives, email messages, and data within document management systems.
Data Hold: Yes; make an exact copy of data targeted for preservation to one of many preservation platform servers that StoredIQ supports, keeping all file system metadata intact, and producing an audit trail of any such copy actions. Alternatively, modify permissions to lock a file down in place where it resides if that is the desired behavior.
Chain of Custody: Yes; produce comprehensive audit trails of any actions performed on data. Audit information in StoredIQ can be searched and exported to create reports.
Retention/Deletion Features: Perform litigation holds on unstructured data throughout the enterprise using either system metadata attributes such as custodian/owner, by date, or by file type, or using advanced classification criteria utilizing natural language concepts such as cities, names, companies, etc. Files identified for preservation/retention can be copied or moved with all file system metadata and object level metadata intact and unchanged to a target retention server platform that supports WORM. Full audit history is recorded of any copy/move/delete transactions performed by the product. Set the retention period on target retention server platform if that feature is available when copying or moving data. Integrated HSM capability with retention features ensures that files that are under litigation hold are not inadvertently deleted through the normal course of IT storage maintenance.
Discovery Features: Support for proactive eDiscovery to integrate information management, records management, proactive indexing of all enterprise unstructured data, and pre-discovery reports and analytics to assist with meet-and-confer sessions as mandated under the FRCP. Ability to intelligently understand archive formats such as *.zip, *.pst, and *.nsf at a granular level for identify and extract only responsive objects or attachments within such container structures if desired. Can identify and index unstructured data live across the network in-place without having to copy or archive the data first. Ability to perform indexing on system level metadata such as file name, size, access time, owner, etc. as well as full-text indexing of the entire file contents. Over 300 different file types/formats recognized for discovery. Ability to identify and collect data across a wide variety of different platforms and repositories, such as CIFS, NFS, NetWare, file servers, NAS servers, retention servers, desktops, notebooks, email servers, and document management systems.
Reporting and Logging Features: Detailed reports are provided out of the box, as well as data explorers which allow users to navigate information about identified data from different views, such as by location, by owner, by date, by file type, etc. Detailed file reports are generated for all classification categories defined in the system. Additional reports include all files that have had their extensions re-named, count and size of all duplicate objects detected, storage reports by group/owner/object type, and data topology maps.
Agents: No agent software is required for StoredIQ to identify, index, and collect electronically stored data.
Scalability: There is no hard-coded maximum number of files. Our largest appliance configuration can full index up to 200 million files, assuming 5 million files on average exist per TB of unstructured data.
Archiving Platform Integration: Currently does not integrate directly with any archiving platforms today, but that ability is on the product roadmap.
Requirements: The StoredIQ product is delivered as an appliance, with all necessary hardware, software, and storage included and pre-configured ready to run upon receipt.
Base Cost: Base cost for the StoredIQ product that includes all features described above is $50,000.00 USD and that price includes the hardware, software, and storage.
Detailed Specs: http://www.storediq.com/downloads/Produ ... nal_hr.pdf


Go to beginning
-----------------------------------------------------------------------------------------------------------

Product Snapshot #6
-----------------------------------------------------------------------------------------------------------

Product: Sun Microsystems Inc.; Sun Customer Ready Infinite Archive System

Data Types: The product is built on a general purpose file system that provides an intelligent, tiered archive solution that's easy to use, deploy, manage and is cost-effective. It allows customers to place data from various applications into the repository without the need for an API. Policies are established based on customer requirements.
Data Hold: Data retention is managed via File System WORM with an option to also include WORM tape.
Chain of Custody: The product has audit mechanisms to provide chain of custody, but these are not automated.
Retention/Deletion Features: The product supports a Network Appliance, Inc. SnapLock interface allowing the customers to set retention. This product in conjunction with an ECM vendor such as Enterprise Vault, or CommVault, provide retention and deletion support.
Discovery Features: The product supports basic capability to examine the file system and generate reports on the files stored in the file system. For a complete e-discovery solution, the product can be integrated with a third party e-discovery solutions or ECM vendor.
Reporting and Logging Features: The IAS product provides health, usage and daily reports. These are accessed/generated via the GUI. In addition, the Solaris OS provides advanced features like DTrace, an industry leading tool for examining reporting or logging the various operational parameters.
Agents: No agents required.
Scalability: There is no limit to the number of files that can be ingested into the product, with multiple file systems created. However, the product is configured to provide a global namespace, the practical limit for a single file system is about 300 million files.
Archiving Platform Integration: The product automates archive activities and it transparently manages multiple tiers -- both disk archive and tape tier. Currently there are two versions of the product, integrated Tape with a factory installed SL500 and tape ready system which, supports numerous Tape libraries (both enterprise class StorageTek libraries and other vendors).
Requirements: The product is an appliance and the customer interface is an IP network (Gigabit Ethernet). There are 4 ingest ports and two management ports. The product is qualified for ingesting data via NFS or CIFS archiving data from applications running on assorted OS such as Solaris, Linux, HPUx, AIX, Windows etc.
Base Cost: List for $116,277
Detailed Specs: http://www.sun.com/servers/cr/contentin ... /specs.xml


Go to beginning
-----------------------------------------------------------------------------------------------------------

Product Snapshot #7
-----------------------------------------------------------------------------------------------------------

Product: Symantec Corp.; Enterprise Vault

Data Types: Email (Microsoft, Domino, SMTP); Journal Email; PST; Instant Messaging; Windows Based Files (Over 300 supported file types); SharePoint Portal Server Files; SAP; ECM; Database
Data Hold: Yes; automatic legal hold is applied in-place at the file level.
Chain of Custody: Yes; full auditing and control to track chain of custody.
Retention/Deletion Features: Archived items can be assigned to retention categories which specify the time for retention. Furthermore, policies can be defined around expiration of content, migration to secondary storage and collection into containers. Content categories are mapped to retention categories, so content classification can drive retention periods.
Discovery Features: Enterprise Vault Discovery Accelerator extends the basic search functionality to help lower the cost of data collection and facilitate the search and recovery process of archived items used for electronic discovery.
Reporting and Logging Features: Product reports via the application log on its system status and operations. Some examples of these events are; status of Enterprise Vault services/Tasks (stop/start); Archive task (when archiving of mailboxes start); Failures (retrieval, expand distribution list, etc); Conflicts (permission, storage device unavailable, etc). Enterprise Vault provides out of the box reporting and also provides database access to enable third-party reporting (e.g., Crystal Reports). Enterprise Vault has a monitoring module that allows administrators to keep track of events and activities.
Agents: No agents required
Scalability: Customers in production archiving over 5.5 million messages per day.
Archiving Platform Integration: NTFS, SAN, NAS, WORM, CAS, Tape (via NetBackup and TSM)
Requirements: Not provided
Base Cost: The most popular bundle is around mailbox optimization. Mailbox Optimization Advanced Edition (MSRP $51.91 Per User) includes PST Migrator, Offline Vault and Public Folder Archiving
Detailed Specs: http://www.symantec.com/enterprisevault

[Stanislav]

Есть ли какой нибудь недорогой метод котроля доступа к folders and subfolders на предмет удаления.
Папки физически расположены на NAS, потому windows auditing не поможет.
Може у кого есть опыт
Пасибо

Так контроль доступа или аудит? Это принципиально разные вещи.
Я бы попробовал DFS привязать к NAS.

[Vims]

Есть ли какой нибудь недорогой метод котроля доступа к folders and subfolders на предмет удаления.
Папки физически расположены на NAS, потому windows auditing не поможет.
Може у кого есть опыт
Пасибо

Так контроль доступа или аудит? Это принципиально разные вещи.
Я бы попробовал DFS привязать к NAS.

audit конечно..
нашел родным способом OS
cifs.audit.enable on
cifs.audit.file_access_events.enable on

[Zy]

Бейсбольная бита.

[папа Карло]

Бейсбольная бита.

алюминевая или деревянная?

[Vims]

Бейсбольная бита.

алюминевая или деревянная?

Это - летят два крокодила один на север другой зеленый и далее по тексту