Tips for securing documents

There are ways to prevent unauthorized access and secure confidential documents. Find out how.

Q: In my firm, corporate information such as payroll is sensitive, but they are placed on the network server together with other documents. How can I configure my network security such that only certain people will be able to gain access to these confidential document folders?

A. Below is a step-by-step guide on configuring network security for folders in a Windows 2000 Network Server:

Mary, a HR department manager has been working on several salary documents that are stored on a file server, and is concerned that any employees may be able to access these documents. The documents are stored in a folder named D:\Salary on the server and is shared as Salary. The share permissions on the Salary share for Domain Users members are set to Full Control. Mary only wants to allow members of the Payroll group to have full access to these documents, and the members of the Manager group to be able to read only theses documents. Mary also wants to be the only person who can make any changes to the permissions.

  1. Assuming yourself as Mary logging on to the server and using your domain user name and password.
  2. Click Start, point to Programs, point to Accessories, and then click Windows Explorer.
  3. Expand My Computer, and then click the drive that contains the folder you want to configure. Right-click the folder you want to secure (in this case D:\Salary), and then click Properties.
  4. Click the Security tab, and then click to clear the ,b>Allow inheritable permissions from parent to propagate to this object check box.
  5. In the Security dialog box, click Copy. Doing so causes the inherited permissions to be copied directly to this folder.
  6. To add a set of permissions, in the Properties dialog box, on the Security tab, click Add. In the Select Users, Computers, or Groups dialog box, double-click the appropriate user accounts or groups. When you have selected all of the users and groups to which you want to assign permissions, click OK. The groups and users you added, along with the Everyone group, are displayed in the top half of the Security tab.
  7. In the Name list, select each user or group one at a time, and then apply the correct permissions in the Permissions list. The default Allow setting for Read, List Folder Contents and Read & Execute Permissions allows the Manager group read only permission. For the Payroll group, for the Modify permission, click Allow, so that members of that group can access files in the folder. For Mary's user account, for the Full Control permission, click Allow, which allows Mary to have full permissions on the folder and its contents.
  8. After you set the appropriate permissions, click the Everyone group, and then click Remove.

Making sure your confidential documents are protected in your network server requires a structured approach. Therefore, perform the following steps:

  1. Physically secure your Network Server in the access managed computer facility
  2. Allow only authorized local administrator access to the server and each user having their own account
  3. Proper deployment of your Network File System. For example: OS/Applications installed in system drive and User Data in data drives. Ensure Server Administrator only access to system drive while Users/Groups access their respective drives. Use more secured file system options where applicable (i.e. using NTFS over FAT/FAT32 in Windows platforms).
  4. Disable all GUEST accounts and replace any default Users/Groups ACLs with authenticated or more restrictive group settings. Develop logical user groupings to manage and provide access definitions to common and private folders.
  5. Implement strong account management policy which includes considerations like minimum password length, password change frequency, forced locked-up, etc.
  6. Enable audit log function to provide a mechanism for tracing activities and as a deterant effect

To ensure your network server is not easily exploited by known vulnerabilities. Have it installed with up-to-date anti-virus, patches and intrusion prevention agents along with network perimeter protections techniques like firewalls and server farms separated from user workstation connected subnets.

Our expert: Jeffrey Yeo, business Manager, Networking Services, ASEAN/South Asia, IBM Global Services. Jeffrey is also a Certified Information Systems Security Professional.

Check out ZDNet Asia's Security toolkit for the latest news, whitepapers and case studies.