PS Remediation Lab Guide

Varonis Unstructured Data
Remediation Guide
Varonis Certification Lab
Lab Instructions
DatAdvantage 6.0
1
Table of Contents
LAB OVERVIEW ........................................................................................................................................... 5
SUMMARY OF THE REMEDIATION PROCESS ................................................................................................ 6
LAB 1: RUN PRE-REMEDIATION ASSESSMENT ............................................................................................. 8
PREPARE THE SYSTEM FOR THE ASSESSMENT REPORTS .................................................................................. 9
UNDERSTAND AND CONFIGURE REPORT 14.A.02 – FILE SYSTEM ACTION ITEMS STATISTICS ............................. 11
UNDERSTAND AND CONFIGURE REPORT 14.D.02 – USER-RELATED ACTION ITEMS (PER DOMAIN) ...................... 14
UNDERSTAND AND CONFIGURE REPORT 14.D.03 – GROUP-RELATED ACTION ITEMS (PER DOMAIN).................... 17
LAB 2: REPAIR BROKEN ACCESS CONTROL LISTS (ACLS) ........................................................................... 19
UNDERSTAND AND ASSESS BROKEN ACLS IN THE WORK AREA SECTION ......................................................... 20
UNDERSTAND AND CONFIGURE – REPORT 4.F.01 – FILE SYSTEMS OBJECT LIST REPORT ................................... 22
UNDERSTAND AND REMEDIATE – BROKEN ACLS ............................................................................................ 25
LAB 3: GLOBAL GROUP REMEDIATION ....................................................................................................... 30
UNDERSTAND AND CONFIGURE REPORT 4.B.01 – USER OR GROUP PERMISSIONS FOR DIRECTORY .................... 31
LAB 4: REMEDIATING OVERPERMISSIVE NON-ADMINISRATIVE USER/GROUP PERMISSIONS .................. 48
UNDERSTAND AND CONFIGURE REPORT 4.B.01 – USER OR GROUP PERMISSIONS FOR DIRECTORY .................... 49
ACTING ON VARONIS RECOMMENDATIONS ................................................................................................... 57
UNDERSTAND AND REMEDIATE OVERPERMISSIVE NON-ADMINISTRATIVE USER/GROUP PERMISSIONS ............... 59
LAB 5: STALE DATA REPORTING................................................................................................................. 61
UNDERSTAND AND CONFIGURE REPORT 7.B.01 – INACTIVE DIRECTORIES BY SIZE .......................................... 62
LAB 6: REMEDIATION OF DEAD SIDS DUE TO DELETED ACCOUNTS ............................................................ 65
UNDERSTAND AND CONFIGURE REPORT 12.E.01 – ACLS WITH UNRESOLVED SIDS ........................................... 66
REMEDIATION OF ACLS WITH UNRESOLVED SIDS: ........................................................................................ 68
LAB 7: REMEDIATING AND RESOLVING DIRECT USER ASSIGNMENT ON AN ACL ........................................ 71
UNDERSTAND AND CONFIGURE REPORT 12.D.01 – INDIVIDUAL USERS ON AN ACE .......................................... 72
LAB 8: REMEDIATING ACCOUNTS CONFIGURED WITH NON-EXPIRING PASSWORDS ................................. 83
UNDERSTAND AND CONFIGURE REPORT 3.D.01 USERS AND GROUPS LIST ....................................................... 84
UNDERSTAND AND REMEDIATE USERS WITH NON-EXPIRING PASSWORDS ....................................................... 86
LAB 9: REMEDIATION OF EMPTY ACTIVE DIRECTORY GROUPS .................................................................. 88
UNDERSTAND AND CONFIGURE REPORT 12.G.01 EMPTY SECURITY GROUPS REPORT ........................................ 89
LAB 10: MEASURING PROGRESS WITH THE REMEDIATION PROJECT ......................................................... 93
COMPARE CHANGES IN REPORT 14.A.02 – FILE SYSTEM ACTION ITEMS STATISTICS ......................................... 94
2
UNDERSTAND AND CONFIGURE REPORT 14.D.02 – USER RELATED ACTION ITEMS (PER DOMAIN) ...................... 99
UNDERSTAND AND CONFIGURE REPORT 14.D.03 – GROUP-RELATED ACTION ITEMS (PER DOMAIN).................. 101
LAB 11: INSTALLING A REMOTE COMMIT SERVICE .................................................................................. 104
INSTALLING THE REMOTE COMMIT CAPABILITY FOR DATAPRIVILEGE............................................................. 105
LAB 12: CHANGING PERMISSION MASKS ................................................................................................. 111
LAB 13: CREATING MANAGED FOLDERS ................................................................................................... 116
LAB 14: ADDING OWNER RIGHTS TO THE FOLDERS ................................................................................. 122
LAB 16: PROPAGATING PERMISSIONS DOWN THE FOLDER TREE............................................................. 135
LAB 17: HIDING THE IT ADMINISTRATIVE GROUP WITHIN DATAPRIVILEGE .......................................... 139
LAB 18: CHECKING FOR PERMISSION CHANGES PERFORMED OUTSIDE OF DATAPRIVILEGE ................... 143
SUMMARY OF THE REMEDIATION PROCESS ............................................................................................. 145
3
DOCUMENT REVISION
Name Date Revision # Revision Description

Elena Khasanova July 6, 2015 1.4 Incorporated comments from Jay Viszoki for DataPrivilege portion
of the guide.
4
LAB OVERVIEW
The following labs were developed to assist anyone requiring an understanding of the procedure to remediate issues
with unstructured data. Each Lab provides the exact configuration of DatAdvantage and DataPrivilege required to
complete the remediation process.
ACCESSING THE VIRTUAL TRAINING ENVIRONMENT

The Labs were built using Virtual Machines (VMs), and each component of the installation is performed from unique
VMs. The Virtual Training Environment is accessible via the following URL:
http://training.varonis.com
The UserID for the Labs is: trngpsrm
The password must be obtained by sending an email message to partner-certification@varonis.com. Upon logging into
the above site, you will need to click on the link included below. Upon clicking on the link, a
Windows Terminal Server session will open to the specified server:
Lab Overview:
The Remediation LAB will provide the Engineer with an understanding of configuring basic Remediation functions. The
Remediation LAB will allow the Engineer to perform an Assessment, remediate the issues uncovered during the
Assessment, and utilize metrics available in DatAdvantage to demonstrate progress with Remediation to a customer.
The skills learned in this lab coupled with the template remediation plan and other tools within the remediation toolkit
will allow the engineer to plan for, communicate and perform client remediation projects.
TECHNICAL PREREQUISITES – Internet Explorer. The labs require the ability to download and run an embedded
Windows Remote Desktop client using an ActiveX control. If security software is blocking the RDP client’s ability to
connect to a local loopback address, the labs will not function properly and the security software must be disabled.
The Labs require Internet Explorer with the ability to download and run an embedded Windows Remote Desktop client
using an ActiveX control.
EDUCATIONAL PREREQUISITES – The person completing this LAB must have successfully completed the following
Varonis Technical Certifications:
 Operational Use of DatAdvantage
 Basic Installation of DatAdvantage
 DataPrivilege Operations and Administration
TRAINING ENVIRONMENT SUPPORT:
If problems occur while using the Virtual Training Environment, please contact vlab-help@varonis.com.
5
SUMMARY OF THE REMEDIATION PROCESS
There are two sections to the Remediation Certification. In the first section, you will complete
ten labs using DatAdvantage to remediate a number of issues identified during an initial
assessment. You will also demonstrate that you have remediated the issues that you encounter,
in the final lab, lab ten, of section one. In the second section, you will use DataPrivilege to
perform a number of steps which ensure that permissions will be properly managed after the
remediation project has been completed. The following is a summary of each lab:
Section 1:
LAB 1: During this lab you will run the Pre-Remediation Assessment Reports which will be used
to determine the current state of risk in the customer’s environment.
LAB 2: This Lab will demonstrate how to identify and repair Broken Access Control Lists using
both the DatAdvantage GUI and Reports. Broken ACLs must be repaired prior to any other
activities in the remediation process.
LAB 3: The area of highest risk in most companies is when Global Groups are used to provide
access to folders. In this lab you will learn how to identify where Global Groups exist, and
model the removal of these groups to ensure a least privilege model.
LAB 4: The second area of highest risk in most organizations occurs when users have access to
data that they don’t need access to. In this lab you will learn about DatAdvantage
Recommendations and how to use them to reduce over-permissive access.
LAB 5: In this lab you will determine how to identify which data has not been used and can be
safely archived or deleted.
LAB 6: Many customers delete user accounts without regard for the impact on an ACL. In this
lab you will learn how to identify and remove unnecessary Security Identifiers (SIDs) from an
ACL.
LAB 7: The best practice for granting access to data is by adding a user to an Active Directory
group. Many customers ignore this and add a user directly to an ACL. In this lab you will
identify where these issues exist and remediate them.
LAB 8: In this lab you will identify which accounts have non-expiring passwords and correct this
issue to ensure that a proper password change policy exists.
LAB 9: In this lab you will identify the AD groups which do not contain any users and eliminate
them.
LAB 10: In this final lab of Section One, you will reproduce the reports generated in Lab 1 (the
initial assessment), and review the progress made in the remediation process.
6
Section 2:
LAB 11: During this lab you will learn how to establish which server will commit the change
(Committing) applied within DataPrivilege.
LAB 12: It’s important to define Permission Masks prior to the start of remediation. In this lab
you will learn how to create the most common permission masks.
LAB 13: This lab will walk you through creating Managed folders while using the DataPrivilege
GUI.
LAB 14: Without proactively limiting NTFS Owner rights, remediation activities that are
completed can be reversed. You will learn how to set these rights as one of the initial steps in
remediation.
LAB 15: The Bulk Upload Utility is a tool that allows for remediation on a large scale. You will
learn the most common workflow for this tool.
LAB 16: In order to allow Data Owners to be in full control of access to their data you need to
make sure that all files and folders within Base or Managed folders are fully inheriting
permissions. You will learn how to do so in this lab.
LAB 17: There will always be an IT Administrative group with Full NTFS permissions on each
folder. Because Data Owners will not manage members of that group, you will learn how to
hide it from the Owners view.
LAB 18: Lastly during any long remediation process, there may be IT staff bypassing
DataPrivilege and making changes without a Data Owner’s approval. To stay on top of this
potential issue, you will learn how to use the Synchronization report.
7
LAB 1: RUN PRE-REMEDIATION ASSESSMENT
LEARNING OBJECTIVES: In the first Lab you will learn how to configure and run the pre-
remediation assessment reports. This step establishes an initial baseline of the customer’s
environment in order to track and display progress both during and upon completion of the
Remediation process. This Assessment can be repeated on a monthly basis to measure the
progress, should the need exist. This same step will be repeated upon completion of the
Remediation project in order to calculate the actual reduction in risk experienced by the
customer.
OVERVIEW: During this lab you will run a number of reports which provide statistics on the
current state of the customer’s permissions, file system, sensitive data and exposure. The goal
of this lab is to create and run the following reports and be able to explain to the customer what
each statistic means in order to help the customer to prioritize the remediation project. One of
the benefits of these reports is to allow prioritization of certain file servers or processes and
allow for better planning of how the remediation will be structured in production. This also helps
in establishing the timeline and dependencies in case of parallel work between different teams
which may be necessary to complete the project on an expedited basis.
 14.a.2 File System Action Items Statistics Report – This is an actionable report which
highlights specific areas of concern. Metrics presented in the 14.a.2 report represent
action items and should be addressed as the remediation project progresses.
 14.d.1 General Directory Service Statistics Report - This report displays general
directory service statistics (i.e. AD statistics) on the specified date.
 14.d.2 Executive Directory Service Statistics Report- This report displays directory
service statistics for the user-related action items on each domain on the specified date.
OUTCOME: At the end of this lab you will have configured, and saved reports that are necessary
to compare the initial and final state of the remediation project. You will learn what each metric
means and be able to explain the metrics to the customer.
8
PREPARE THE SYSTEM FOR THE ASSESSMENT REPORTS
1. Open the Management Console.
2. The Console will load with all of the maintenance jobs. Under Categories check the
“Advanced Maintenance” option, then click apply.
9
3. Right click on the “Calculate Metrics for Trend Reports” job, and from the pop-up menu
select “Run Job.” Wait for the job to complete. When completed, the status will revert to
“Idle.
4. Close the Management Console.
10
UNDERSTAND AND CONFIGURE REPORT 14.A.02 – FILE SYSTEM ACTION
ITEMS STATISTICS
This report defines the issues that will be addressed during the remediation project. Each column
will highlight an action item that will change as the remediation project progresses. Please
follow the steps to configure Report 14.a.2 which will be used to determine the environments
current baseline.
1. Open up DatAdvantage (if not already open).
2. Click the Reports button at the top of the DatAdvantage window.
3. Select the 14.a.02 File System Action Items Statistics report in the report list pane on the
left side of the window.
11
4. Select the File Server checkbox and then click the Remove Selected button. Make sure
that the date is set to today’s date – the current day. This is done to ensure that the we
are looking at the results after Calculation job in previous lab had run.
5. On the Columns tab scroll down the “Available columns” list and select “No. of Folders
with Unresolved SIDs” and click the right arrow to add it the report.
6. Select “No. of Folders with Global Access (Inc. Inherited)” and click the right arrow to add
it the report.
7. Click Run.
12
8. The Table view will be populated with the results. Click Export and select the CSV file
format and save the report as 14A2BEFORE in the “My Documents” folder. The following
metrics are relevant to the remediation project and can be found in the report that was
just generated (NOTE: Clicking the “?” icon in the tool will bring up the Help View which
describes the meaning of each statistic)::
 Number of Folders with Global Access: This metric includes the number of folders open
to global access groups. These folders are often considered the number one priority
when it comes to remediation because they can expose data to everyone that has
access to the customer’s network.
 Number of Folders with User ACEs: This metric describes direct user assignment to the
folder’s Access Control List (ACL) as opposed to assignment via an Active Directory
Group. If the user account is deleted, an Orphan (Unresolved) SID will remain on the
ACL. Direct user assignments are difficult to administer and as a result, they are
measured and remediated during the project.
 Number of Folders with Unresolved SIDs: As noted above, when a user account which
has been directly assigned to a folder’s ACL is deleted, the Security Identifier will
remain on the ACL. This Orphan SID must be manually deleted.
There is a number of other columns and metrics in this report, not all of them are utilized
in this guide but each one of them serves a purpose.
13
UNDERSTAND AND CONFIGURE REPORT 14.D.02 – USER-RELATED ACTION
ITEMS (PER DOMAIN)
For the selected domain, this report displays directory service statistics for user-related action
items on the specified date.
1. Navigate to the “14.d.02 User Related Action Items (per domain)” report in the report list
pane on the left side of the window.
2. From the filters tab, select Domain and then click Remove Selected. Again, the Date field
should stay on today’s date to make sure we are looking at the results after the
Calculation report had run in the very first lab.
14
3. Click Run.
 The Table view will be populated with the results. Click Export and select the CSV
file format and save the report as 14D02BEFORE in the My Documents folder. The
following metrics will be used in this guide and can be found in the report that was
just generated (NOTE: Clicking the “?” icon in the tool will bring up the Help View
which describes the meaning of each statistic):
 Number of Accounts with Passwords that Never Expire. This metric tracks the
number of users configured with passwords that never expire, ultimately increasing
the risk of a user account being hijacked.
15
16
UNDERSTAND AND CONFIGURE REPORT 14.D.03 – GROUP-RELATED
ACTION ITEMS (PER DOMAIN)
For the selected domain, this report displays directory service statistics for group-related action
1. Navigate to the “14.d.03 Group Related Action Items (per domain)” report in the report
list pane on the left side of the window.
2. From the filters tab, select Domain and then click Remove Selected.
17
3. Click Run.
format and save the report with the filename 14D03BEFORE in the My Documents folder.
Click the “?” icon to see the Help View and review the meaning of each statistic. The
following metrics are relevant to the remediation project:
 Number of Empty Groups. This is the number of groups that do not contain any
members. This number should be low, and ideally zero. Empty security groups
that are configured on an ACL can be used to circumvent expected permissions if
someone is inadvertently placed in the group.
18
LAB 2: REPAIR BROKEN ACCESS CONTROL LISTS (ACLS)
LEARNING OBJECTIVES: In this lab you will learn how to find, report on, and fix broken
Access Control Lists. You will also learn the difference between properly working inheritance and
issues where inheritance should exist but is broken. Broken ACLs exist where a folder should be
inheriting permissions from the parent folder but do not, even though the security settings
within the folder indicate permissions are inherited. In these cases, one or more groups or users
are missing despite the indication of full inheritance. Broken ACLs can occur for several reasons.
Some automated copy programs have been known to produce unexpected results. Home-grown
scripts can also produce these issues. Another inconsistency can be caused when someone
simply moves a file or folder from one folder on a volume to another folder on the same volume
with different permissions.
Broken ACLs must be corrected because the effective permissions on the folder are not what
they were intended to be. Users and groups who appear to have access to a folder may not be
able to access the folder because of these broken ACLs. Another reason to fix Broken ACLs is to
enable the use of the DatAdvantage and DataPrivilege Commit services which are unable to
commit changes to folders which have a broken ACL. All Broken ACLs must be fixed prior to
performing other steps of the remediation.
OVERVIEW: The goal of this lab is to:

 Learn how to identify broken ACLs visually in the DatAdvantage Work Area.
 Learn how to create the Broken ACL Report – report 4.f.1 with the filter Inconsistent
Permissions.
 Learn how to correct Broken ACLs by using this report.
OUTCOME: At the end of this lab you will learn how to turn on the visual indicator for Broken
ACLs, learn the difference between removed and broken inheritance, how to find broken ACLs
visually within the Work Area and how to create a report listing all of the Broken ACLs for a
specific scope. And finally you will be able to correct Broken ACLs as one of the steps in the
Remediation process.
19
UNDERSTAND AND ASSESS BROKEN ACLS IN THE WORK AREA SECTION
1. Within DatAdvantage, make sure that the indicator for Mark Inconsistent ACLs is enabled
by going to the Tools menu item and then selecting Options. If it was not already
selected, you must close and re-open DatAdvantage after enabling it.
2. Click on Work Area at the top of the DatAdvantage window.
20
3. Expand the Corpfs02a server and you will see that the HumanResources folder is marked
with a blue lowercase “i” icon. Expand the Explanation column to see that the
HumanResources folder is marked with a note that states, “Child directory ACL is
inconsistent.”
4. Expand the HumanResources folder. In the explanations column you will see the blue
lowercase “i” icons, indicating Broken ACLs on all of the subfolders. As you can see,
DatAdvantage will indicate where Broken ACLs exist within the Work Area.
21
UNDERSTAND AND CONFIGURE – REPORT 4.F.01 – FILE SYSTEMS OBJECT
LIST REPORT
For the selected domain, this report lists the folders and special files on monitored file servers.
2. Select the “4.f.01 File Systems Object List” report in the report list pane on the left side of
the window.
22
3. From the filters tab, click the ellipsis button (grey box with three dots) next to File Servers
equals and select “corpfs02a” and then click ok.
4. Click New filter.
5. Click on the words “Access Path” of the newly added filter, mouse over the Access Path
Filter Category on the pop-up menu and then select “Inconsistent permissions”. Ensure
that the default setting for this option is “True.”
23
6. Click Run.
format and save the report as 4F01Broken_ACLs in the My Documents folder. Click the
“?” icon to see the Help View and review the meaning of each statistic. The report will list
the directories with Broken ACLs which will be used to estimate the scope of the folders
which will require remediation.
24
UNDERSTAND AND REMEDIATE – BROKEN ACLS
In this section of the lab you will learn how to correct Broken ACLs based on the previous section
of the lab.
2. Expand the corpfs02a server and then expand the HumanResources folder to show the
subfolders with the blue icons marked for inconsistent ACLs with “Broken ACLs” shown in
the Explanations column.
3. Expand the Existing Users and Groups pane by clicking on the left boarder of the Directory
pane. Double-click on the HumanResources folder in the Directory pane and you will see
in the left pane that both the HR-Private group as well as a deleted (Orphaned) SID are
on the ACL. In contrast, if you double click on any of the sub-folders below
HumanResources (budget letters Q3 in this example), you will notice that the subfolders
underneath the HumanResources folder are only inheriting the HR-Private group, but they
are not inheriting the deleted SID.
25
This is why all of these subfolders are tagged with the Broken ACL flag. They were meant to be
inheriting permissions by design, however something happened in the process and the
inheritance “broke.” We will fix this in the next steps.
4. Within the Directory pane, double click on the HumanResources folder to view the users
and groups who have access to the Human Resources folder. You will notice that no
administrative group has access to this folder. Without granting the account we are logged
in as (administrator) full access to this folder, you will not be able to replace child folder
permissions with the permissions of the parent, thus fixing all of the broken ACLs. This is
required to complete the cleanup of broken ACLs.
5. Right click on the HumanResources folder and select properties, and then click on the
security tab.
26
6. While in the security tab click edit and then add the domain admin group to the ACL and
give it full permissions. When finished click OK.
NOTE: At this point, you will receive 2 errors related to the demo environment. Click
continue for both when prompted to proceed. These errors are caused by limitation of this
lab and will not happen within real-world customer environment.
27
7. Within the “HumanResources” folder, right click on the “2004 Evaluation Reports” folder
containing the broken ACL and select Properties, and then select the security tab and then
click on the “Advanced” button. Doing this will allow us to correct the inheritance of the
“2004 Evaluation Reports” folder by forcing the folder to include all of the permissions that
are defined on the parent “HumanResources” folder.
8. Click the Change Permissions buttons.
9. Uncheck the “Include inheritable permissions from this object’s parent”. When the popup
box appears, click Add to add parent permissions directly to folder, and then click Apply
on the Advanced Security window.
28
10.Check the “Include inheritable permissions from this object’s parent” box AGAIN to re-
enable inherited permissions and then click OK.
11. Click OK on all remaining windows.
12. In order to see the results in the GUI several scheduled jobs including FULL (Not
incremental) Filewalk will need to be run in customer environment. This step cannot be
reproduced in the lab but please be aware of it.
In this lab you learned the definition of Broken ACLs, how to identify them and how to report on
and fix a Broken ACL.
29
LAB 3: GLOBAL GROUP REMEDIATION
LEARNING OBJECTIVES: In this lab you will learn how to find, report on, and correct the
assignment of Global Groups to a folder. Global Groups are groups which provide excessive
access to a broad population of people. Global Groups should only be used when absolutely
necessary because they introduce unnecessary risk if they are used inappropriately.
Global access groups which represent the most risk to customer data are the Everyone group,
the Authenticated Users group and the Domain Users group. The full list of groups that are
considered Global Groups by DatAdvantage can be found within Management Console
Configuration, within the Global Groups panel.
In the majority of Remediation projects, removing access to global groups from customer’s
folders will be the top priority. In this lab you will learn how to discuss the risk of Global Group
access, and you will determine the % of users that have access to data via Global Groups, and
how to properly remediate these issues using DatAdvantage analytics.
OVERVIEW: The goal of this lab is to run reports and correct Global Group permissions based
on the following report:
 Utilize Report 4.b.01 - User or group permissions for directory- Used to display the
permissions a specified user or group has on the selected file server, including all
inherited permissions. By filtering on the Everyone, Authenticated Users and Domain
Users groups, administrators can easily identify over-permissive access rights.
 DatAdvantage provides the ability to model the impact of removing a Global Group from a
folder. In this lab you will be learn to demonstrate to the customer that removing Global
Groups can be performed without impacting an end users access to data via the modelling
feature. This will reduce or eliminate Customer Support calls by users whose access have
been removed, but continue to require access.
 In this lab you will remove a Global Access group based on the results of the modeling
that you will perform.
OUTCOME: At the end of this lab you will have modelled and removed Global Access Groups
without impacting legitimate client access requirements.
30
UNDERSTAND AND CONFIGURE REPORT 4.B.01 – USER OR GROUP
PERMISSIONS FOR DIRECTORY
For the selected domain, this report displays the permissions a specified user or group has on
the selected resource, including all the permissions it inherited.
1. Within DatAdvantage, click the Reports button.
2. Select the “4.b.01 User or Group Permissions for Directory” report in the report list pane
on the left side of the window.
31
3. Click on “New Filter”, and then click on the newly added “Account type” filter. Mouse over
“Access Path” and then select “Do not show inherited permissions.” This filter is being
added so that only folders that have explicit permissions will be included in the report.
Ensure that the default value of ‘True’ is selected for this filter.
4. Click on the ellipsis button next to File Servers Equals and select “corpfs02a” and then
click OK. In real customer environments we may add more than one file server in this
report although more and more companies tend to consolidate data on one very large
NAS server so then you may have to limit search scope to specific folder or set of folders.
32
33
5. Click the ellipsis button next to User/Group equals and type ‘everyone’ into the search
field, and click the search button. When the search returns the Everyone group, click on
the group to highlight it and then click the Add button to add the group.
6. Next search for and add “authenticated users” and then click the add button.
34
7. Next search for “Domain Users” and then click the add button. All 3 selected user groups
should now be populated in the list below. Click OK.
8. Click Run.
35
format and save the report as 4B01Global_Groups in the My Documents folder. Click the
“?” icon to see the Help View and review the meaning of each statistic. The number of
items in this report will help to determine the scope of the remediation project to remove
global groups. The following fields are relevant to the remediation project:
 The SharePath column will serve as the input for our remediation work.
 The Current Permissions column demonstrates what permissions each Global group
has on the specified folder. Remediation should occur in the following order: folders
with Full permissions first, Modify- second, Write - third, Read - fourth, List - fifth.
Any folders which allow a Global Group full access to a folder should be remediated
immediately.
In this lab you learned what groups are typically considered Global Groups and how to
create a report listing the directories where Global Groups have access. This report is
useful when determining the scope of the Remediation project as well as prioritizing the
folders that require remediation, based on the permissions granted to the global groups.
36
REMEDIATION OF GLOBAL GROUPS:
2. Expand Corpfs02 and navigate to the “dsr” folder. Double click on the folder to see the
Users and Groups that have access to this folder. Included will be the Everyone group
with Full permissions.
3. To begin remediation on this folder, we need to model the removal of the Everyone group.
Right-click on the “dsr” folder and click “Edit Permissions.” In this case we will model the
removal of the Everyone Group from the “dsr” folder. Modeling the removal allows us to
see who would be affected by removing the Everyone group and thus, prevent any
unwanted loss of access.
37
4. Click on the Everyone group and then click Remove. The group and the permissions
should turn red. Click OK.
5. You will notice that the “dsr” folder now has a pencil icon next to it indicating that the
folder permissions have been modified. Note that this does not affect the actual
permissions on the folder and no users will be impacted by this, as the change has not
been committed yet.
38
6. Towards the bottom a “System not Synchronized” message will appear. Click on it to
synchronize the backend database so that you can analyze who will be impacted by
removing the Everyone group.
7. Click on the Synchronize button to confirm.
8. Within the Existing Users and Groups pane, click on the Errors option.
39
9. Drag the User/Group header to the top left of the File Server header to sort by
User/Group, and then click on the Reload button. This will force the refresh of the content
with the events grouped by the impacted user. We can see here that both Joe Engle and
Philip Spruell had one access event within the dsr folder - where we are about to remove
the Everyone group. If we remove the Everyone group, these two users will be affected
next time they attempt to open the folder.
10.Right Click on the DSR folder and select the option to Create New Group with Permissions.
A Group Creation Wizard will appear.
11.Under Group Path select the Corp Domain. In real-life customer environments there will
most likely be the main domain where all the remediation happens but in some situations
there are more than one domain, make sure to confirm that information with the
customer prior to remediation.
40
41
12.Under Group Name type, “DSR Modify” and Click Next.
13.You will now be able to add members to this new DSR Modify group. Click the Add button
and browse for the users that appeared on the Errors window pane. Click Next once both
users are added.
42
14.You will now select the permissions for the newly created DSR Modify group. Select Modify
(which will also select Write) then click next.
15.A summary page will now appear. Review the changes and if satisfied click Execute.
43
16.Once executed you will be given the option to commit the changes to the file system. Click
the “Commit these changes” checkbox and then click Finish.
17.You will be prompted for credentials. Enter “password” for the password and click on
Login.
18.Verify the changes and then click the Commit button at the bottom (You will then be
prompted to confirm, click Yes). Once the commit completes, click close.
44
19.Go back to the Work Area and double click on the “dsr” folder. Note that the DSR modify
group is now on the ACL with modify access.
20.You will see that the DSR Modify group has been added and that the Everyone group
remains on the ACL. This is because this change was never committed to the live
environment. Right click the “dsr” folder and click Commit.
WARNING: In real customer environments if there are any impacted users, wait 72 hours
until you remove the Global Group. This is done to avoid impacting service accounts and
to avoid forcing users to log off and back on their workstations in order to receive new
authentication token. Prior to removal refresh the list of impacted users again and make
sure there are none listed. If there are no impacted users you may perform removal of the
Global Group immediately.
45
21.You will be prompted for credentials. Enter “password” for the password and click on
Login.
46
22.Verify the changes and then click the Commit button at the bottom (You will then be
prompted to confirm, click Yes). Once the commit completes, click close.
In this lab you learned how to use the unique functionality of Varonis DatAdvantage to
remove Global Groups without impacting any users or applications because you were able
to simulate changes in a virtual environment prior to implementing the changes.
47
LAB 4: REMEDIATING OVERPERMISSIVE NON-ADMINISRATIVE
USER/GROUP PERMISSIONS
LEARNING OBJECTIVES: In this lab you will learn how to determine where over-permissive
access permissions exist. You will also learn how to explain to the customer the criteria used to
develop DatAdvantage Recommendations and why it’s important to remove excessive access.
You will also learn how to use reports to commit the recommended changes.
OVERVIEW: DatAdvantage provides a unique analytical engine which analyzes user access
activity and permissions to determine whether users actually require access to specific folders
via their respective group membership. These are referred to as Recommendations. The
following provides additional detail about the capabilities of the Remediation features.
 DatAdvantage Recommendations are only provided on group membership in Active

Directory. DatAdvantage does not make Recommendations on users directly assigned to
an ACL.
 Each recommendation is specific for the user and for the group. Each user may have
multiple recommendations for removal from different groups and each group may have
multiple users tagged with recommendation for removal.
 In order for a Recommendation to appear, both of the two criteria have to take place: 1)
the user has not used the specific Active Directory membership to access the data within
the last 120 days, or since the start of the monitoring whichever is the shortest and 2)
activity of the user is very different from the activity of the users in same Active Directory
groups. This second criteria is very important as lack of activity via the specified Active
Directory group is not in and of itself, sufficient to produce a recommendation for removal
from the group.
OUTCOME: In this lab you will learn what Varonis Recommendations are, how to identify them
visually in the Work Area, and how to create reports for them. You will learn to explain the
analytical engine used to generate recommendations. You will also learn how to remediate over-
permissive access and how to remove unnecessary access using the DatAdvantage Commit
Engine.
48
UNDERSTAND AND CONFIGURE REPORT 4.B.01 – USER OR GROUP
PERMISSIONS FOR DIRECTORY
For the selected domain, this report enables administrators to quickly and easily list users and
groups that have permissions on the specified folders. It can display only unique permission or
all inherited folders.
1. Within DatAdvantage, click the Reports button.
2. Select the 4.b.01 Users or Group Permission for Directory report in the report list pane on
the left side of the window.
49
3. Change the “Only unique folders” to “Distinguish unique” by clicking on “Only unique
folders” and then on “Access path” and then on “Distinguished unique.” The Distinguished
Unique filter will display the directories where the EFFECTIVE permissions change when
going from parent to child folder. It will not display permissions which are the same
between parent and child folders.
4. Change “File Server” to “Access path” by clicking on “File Server” and then on “Access
Path” and then on “Access Path” again.
50
5. Click the ellipsis next to “Access Path” “Starts with”, expand corpfs02a, and add the
“C:\Share\Legal\corporate\consulting” folder by double clicking on it and then clicking OK.
6. Change the “equals” option next to User/Group to “not like.” After doing that type “admin”
in the box to the right.
51
7. Select “New Filter” and then change it from the default “Account type” to “Permissions” by
clicking on “Account type” and then clicking on “Permissions” and then clicking on
“Permissions” once again.
8. Change the equals for this filter to “Like” then type a capital “F” in the box to the right
and then click the Run button.
52
9. The report will include 2 entries - the Everyone Group with Full permissions and a group
called Legal which also has Full permissions.
This report demonstrates that non-Administrative groups have excessive access which
provides members of these groups with permissions to perform functions outside of the
scope of their responsibilities. For example, providing a non-Administrative user with Full
Control of a folder allows those members to delete the folder, increasing the risk within
the company. In the next section we will demonstrate how to remediate this situation.
53
REMEDIATION OF UNNECESSARY NON-ADMINISTRATIVE PERMISSIONS:
2. Browse for the “C:\Share\Legal\corporate\consulting” folder in corpfs02a and right click

on it and select Edit Permissions.
3. Click on the legal group and then under the permissions uncheck the full control
permission mask. Then click OK.
54
4. Click the curtain bar to open the right window pane for Recommended Users and Groups.
You will notice the pencil icon on the Consulting folder signifying a modeled change.
Within the right window, Full permission for the Legal group is red.
5. We are now ready to commit this change. Right click on the consulting folder and click
commit.
6. When prompted for credentials, enter “password” for the password and click on Login.
55
7. Verify the change within the commit window and then click the Commit button. Click Yes
to commit the changes. Once completed, click close.
8. Double click on the consulting folder and notice the legal group no longer has Full
permissions.
In most situations, the only people that should have FULL access to a business folder are
members of the IT group and specifically people tasked with managing permissions or
service accounts as required. All other groups should have their permissions reduced to
Modify, which will still allow them to create, modify and delete any files and folders.
56
ACTING ON VARONIS RECOMMENDATIONS
In this section, you will use DatAdvantage Recommendations to remove unnecessary
permissions and group membership.
2. Select the 5.b.01 Recommended Changes on User Repository report in the report list pane
57
3. Click Run (No filters need to be added or adjusted).
4. Scroll down in the report to see the HR-Private group. Notice that there are 3 members
that are recommended to be removed from this group (Denise Walters, Derek Peck, Ivan
Selesnick). For the purpose of the lab we will focus on HR-Private group even though
there are recommendations listed for other groups as well.
The date represents the date of creation of the recommendation.
This report demonstrates the ability of DatAdvantage to isolate accounts that are no
longer using their access as well as evaluate whether accounts utilize data in a completely
different manner than other accounts in the same group. This criteria allows us to produce
very precise Recommendations on which users have excessive access to data.
58
UNDERSTAND AND REMEDIATE OVERPERMISSIVE NON-ADMINISTRATIVE
USER/GROUP PERMISSIONS
1. Click on the Work Area at the top of the DatAdvantage window.
2. In the Recommended Users and Groups pane on the right, type in “hr-private” into the
“Look For” box. Click the + sign to expand out the group and show its members. You will
see the same 3 members that previously showed up on the Recommendations report, with
red X’s next to their name.
3. Right Click on the “HR-Private” group and click Commit. This will allow you to remove all
three of these users from the group in one step.
59
5. You will see 3 pending commits in the summary window- One for the removal of each user
from the “HR-Private” group. These recommendations exist because all three users have
not been actively using their access in the “HR-Private” group. Click the Commit button
and then click Yes to commit the changes. Once completed, click close.
6. In the work area, in the Recommended Users and Groups pane, expand the HR-Private
group and verify that Denise, Derek and Ivan’s names are no longer listed. These users
have been removed.
In this lab we learned to use the DatAdvantage report and the Varonis Commit engine to
act upon recommendations and remove excessive permissions. The customer’s risk will
be reduced as a result of this step.
60
LAB 5: STALE DATA REPORTING
LEARNING OBJECTIVES: In this lab you will learn how to identify the folders containing stale
data.
OVERVIEW: The goal of this lab is to be able to report on Stale Data as well as explain the
relevance of it to customers. You will also learn the methods available in DatAdvantage used to
locate stale data.
 DatAdvantage defines Stale Data as folders where there has not been a single access event
in the past 120 days. DatAdvantage tracks stale data on folders and not at the file level.
Default period of 120 days can be customized and is defined with Management Console.
 The threshold for the minimum number of events which define stale data can be customized
when running reports. Default is 0 events.
For example, reports can be run with the following criteria:
o Not a single event within the last 120 days.
o 1 or less events within the last 120 days. In other words if there is only 1 event on the
folder within the last 120 days, the folder is considered stale.
o X or less events within the last 120 days. It is up to the customer to define the
threshold of how many events they would like to see on the folder before such folder is
considered active. Anything less than that will be identified as stale.
 120 days is the default period for defining Stale Data but it is fully customizable within the
Management Console.
OUTCOME: At the end of this lab you will understand the definition of Stale Data and how to
customize the default settings to meet customer requirements. You will be able to report on the
data and explain to the client the logic behind the output. The objective will be to encourage the
customer to remove, archive or delete their stale data which is using resources resulting in
unnecessary expense.
61
UNDERSTAND AND CONFIGURE REPORT 7.B.01 – INACTIVE DIRECTORIES
BY SIZE
For the selected domain, this report displays all inactive folders and files, according to the
specified filter conditions. The goal is to show the estimated size of the inactive folders, for
archiving or for the purpose of deletion.
2. Select the 7.b.01 Inactive Directories by Size report in the report list pane on the left side
of the window.
62
3. There are a number of predefined filters that must be configured:
 For the “Date” filter, enter 120 and verify that the relative mode button on the right
is checked. Relative Mode checkbox counts days back from today’s date.
Unchecking Relative Mode checkbox will allow to set fixed start and end date.
 The next filter is “Event count.” This is set to Equals 0. Leave this filter as is.
 For the “File server” filter click the ellipsis and select the corpfs02a server and click
OK.
 The next filter is “Event count on subfolders”. This is set to equals 0. Leave this
filter as is.
4. Click the Sort button and confirm that the results are going to be sorted by “Size of Folder
and Subfolders (in MB)” in descending order. Click the run button.
63
5. The Table view will be populated with the results. Click Export to CSV, name the file
7B01Inactive_Directories, and save to the My Documents folder. Click the “?” icon to see
the Help View and review the meaning of each statistic. The following metrics are
relevant for remediating stale data:
 The “Displaying xxx results” is the number of folders included in the report
 The Size of Folders and Subfolders. Using this allows you to prioritize stale folder
remediation by folder size if required by the customer.
NOTE: Selecting all file servers in the report may produce a very large report that will
take long to run – use caution when running this report.
This report is the starting point of the discussion with the customer of how much stale data they
have and whether they are interested in deleting or moving it. Some of the actions the customer
may take:
 Delete Stale Data
 Move Stale Data to cheaper disk/storage
 Archive Stale Data
 All of these actions are possible to be automated by using the Varonis Data Transport
Engine
64
LAB 6: REMEDIATION OF DEAD SIDS DUE TO DELETED ACCOUNTS
LEARNING OBJECTIVES: In this lab you will learn how to report on Broken Security Identifiers
(SIDs) that appear when a user account is directly assigned to an ACL, and when a User was
deleted but not removed from the ACL. You will learn how to perform remediation of these
deleted accounts based on DatAdvantage Reports.
OVERVIEW:
 In a situation where a user account was assigned directly on the ACL (Access Control List)
and later was deleted it will still appear on the ACL with a long numeric unique identifier
or SID. We call such accounts Orphaned SIDs.
 There are rare occasions where Varonis will report a SID that is unresolved to a username
when it stems from a domain that is not monitored in DatAdvantage. It’s important that
all domains are monitored by Varonis to avoid this situation. Another way to solve this
issue is to determine domain by the initial digits within the SID as each domain will have
its own sequence.
 This situation can be prevented if the company provisions all access via Active Directory
groups and not by direct user assignment to an ACL.
 With the high risk of unauthorized access to data, effective management of access
permissions is critical in ensuring that data is secured using a least-privileged access
model. The more complexity that exists in a file system structure, the more risk there is
for users to gain unintended access. Unresolved SIDs increase the complexity of the ACL
and should be removed. Additionally, an unresolved SID with access to data provides a
potential target for a token manipulation attack.
OUTCOME: In this lab you will learn how to explain to the customer how Orphaned SIDs occur,
how to prevent them proactively, and how to remediate them if they already exist.
65
UNDERSTAND AND CONFIGURE REPORT 12.E.01 – ACLS WITH
UNRESOLVED SIDS
For the selected domain, this report lists permissions on file servers where ACL SIDs are not
resolvable to user or group names (meaning they were removed or migrated, or reside in a
domain not monitored by DatAdvantage).
1. Select the 12.e.01 ACLs with Unresolved SIDs report in the report list pane on the left
side of the window.
2. On the file server filter click the ellipsis, select the corpfs02a server, and Click OK.
66
3. Click Run.
4. You will see 7 results including the “Market” folder.
In this lab we learned to develop a report displaying all of the directories with Unresolved
or Orphan SIDs. We are able to estimate the remediation scope of work from the number
of results. This will be the input for the remediation that will be performed in the next lab.
67
REMEDIATION OF ACLS WITH UNRESOLVED SIDS:
2. Double click on the “Market” folder to verify the unresolved SID. Right click on the
“Market” folder and click Edit Permissions.
3. Click the unresolved SID and then click remove. The SID will turn red. Click OK.
68
4. Right Click on the market folder again and then click the Commit button.
6. Review the change of removing the unresolved SID with read access from the Market
folder. Click Commit, then click Yes to confirm. Once the commit completes, click close.
69
7. Double click the market folder to verify that the unresolved SID is no longer visible.
In this lab we learned how to use Varonis DatAdvantage to remove Unresolved or Orphan
SIDs based on the report from the previous lab.
70
LAB 7: REMEDIATING AND RESOLVING DIRECT USER ASSIGNMENT
ON AN ACL
LEARNING OBJECTIVES: In this lab you will learn why Active Directory accounts assigned
directly on the Access Control List (ACL) as opposed to via Active Directory groups are a bad
practice, and how to generate reports which can be used to assist with remediation of them.
OVERVIEW:
 Best practices for assigning permissions is to provision access to a folder via Active
Directory groups. It is also a prerequisite for DataPrivilege deployment, and it also eases
permissions administration and reduces risk.
 Deleted directly assigned accounts will result in Orphan SIDs, as described in Lab 6,
whereas deleted accounts provisioned via an Active Directory group will correctly remove
access without the need for additional remediation.
OUTCOME: At the end of this lab you will determine where direct user assignments exist. You
will also be able to explain the drawbacks and understand how to remediate them.
71
UNDERSTAND AND CONFIGURE REPORT 12.D.01 – INDIVIDUAL USERS ON
AN ACE
For the selected domain, this report lists permissions that were granted directly to individual
users, and not through group membership.
2. Select the 12.d.01 Individual Users on an ACE report in the report list pane on the left
side of the window.
72
3. Within the “File server” filter, click the ellipse, select the corpfs02a server, and click OK.
4. Click the New Filter option and change the default filter of object type to username.
5. On the User name filter click on the “Equals” button and change it to “Not like.”
73
6. In the text box for “User name” type in “admin.” This will filter out any admin accounts
that are directly on the ACL from the report. Click run.
7. One of the first few results will be Lisa Clasen having Read access to the C:\Share\ERP-
Arc folder. Technically Lisa has Read-Execute-List permissions that are universally
interpreted to be READ permissions by most clients and we will use the term Read
permissions to reflect this state.
In the same report we see 2 entries for orphaned SIDs (deleted account of Chad Marcus).
These direct assignments would need to be deleted as well but for the purpose of this lab
we will limit the scope to Lisa’s account’s direct assignment.
74
In this report we produced the list of folders where the users are directly assigned to the
ACL as opposed through Active Directory group and we learned the scope of work which
can be developed from the count of the results.
75
UNDERSTAND AND REMEDIATE DIRECT USER ASSIGNMENT
2. Browse to the “ERP-Arc” folder and double click on it. You will see Lisa Clasen directly on
the ACL with READ (Read-Execute-List) access.
76
3. On the “ERP-Arc” ACL you will also see a group called ERP_Invoices which has a Read
(RXL) permission. Double click on the ERP_Invoices group to confirm that it only is
granting access to the ERP-Arc folder with Read access, and that the group is not granting
access to any other folders. You will see multiple folders turn green in the Directories
Pane. Confirm in the explanations column that “ERP-Arc” is the only folder that shows
“Inherited from ERP_Invoices” which it is.
4. Now that we confirmed the ERP_Invoices group only grants access to “ERP-Arc” folder we
will add Lisa into that group for the purpose of eliminating her individual access on the
ACL. Double Click the “ERP-Arc” folder again. In the Recommended Users and Groups
Pane, right click on Lisa’s name on the right window and then click on “Add Group
Membership.”
77
5. Type “ERP_Invoices” in the search box and then click the search button. Double click the
group in order to select it, and then click OK.
6. You will now see the pencil on Lisa’s name signifying the modeled addition of Lisa to the
ERP-Invoices Group. Right click on her name once more and click Commit to enact the
change.
78
8. Review the change of adding Lisa to the ERP_Invoices group. Click commit, then click Yes
to confirm. Once the commit completes, click close.
9. To confirm, click the View button on the top of the Recommended Users and Groups
window and click “Children.” (If it already says “Parents” then you can ignore this step.)
10.Expand the user account for Lisa and you will see the groups that she is a member of,
including the ERP_Invoices Group.
79
11.We now need to remove Lisa from the ACL which provides her with direct access to the
folder. Right click on her name where she is directly permissioned and click “Remove
Permissions.”
12.A red X will appear next to Lisa’s name. Right click on her name again and click Commit.
13.When prompted for credentials, enter “password” for the password and click on Login.
80
14.Review the change of removing the ACL for Lisa’s Read access, click Commit, and click
Yes to confirm. Once the commit competes, click Close.
15.Double click on the ERP-Arc folder once again and you will no longer see Lisa Clasen
directly on the ACL.
16.David Hightower and an unresolved SID also have direct access to this folder. Repeat the
steps above in order to remove David Hightower and the unresolved SID as well. Use
modeling step for the active user David Hightower and use direct removal without
modeling for the unresolved SID (you cannot add unresolved SID = deleted account to a
group). Once completed, you will have address the remediation requirements for this
folder.
81
In this lab we learned how to resolve accounts that are directly assigned to the folder
using Varonis DatAdvantage. This will further reduce the risk of unnecessary access to this
folder.
82
LAB 8: REMEDIATING ACCOUNTS CONFIGURED WITH NON-
EXPIRING PASSWORDS
LEARNING OBJECTIVES: In this lab you will learn how to identify Active Directory accounts
with passwords configured to not expire.
OVERVIEW:
 Most companies have security policies mandating that all passwords expire at periodic
intervals. Sometimes there are exceptions to this rule. These exceptions typically include
service accounts using non-expiring passwords for access to business applications.
 At times IT administrators set the password to not expire to solve a temporary
requirement, for example for testing, but then forget to change the setting back. This
causes unnecessary risk.
 It’s important to periodically (once every quarter or semi-annually) review the list of
accounts where the passwords are set to not expire and determine whether it is still
required and/or whether the account is still being used.
OUTCOME: At the end of this lab you identify accounts which have non-expiring passwords.
You will also be able to explain why this increases the security risk for the organization.
83
UNDERSTAND AND CONFIGURE REPORT 3.D.01 USERS AND GROUPS LIST
For the selected domain, this report lists the users and groups in directory services.
2. Select the 3.d.01 Users and Groups List report in the report list pane on the left side of
the window.
84
3. Change the “User/Group” filter to “Users with password that never expires” by clicking on
“User/Group” and then on “Account management” and then on “Users with passwords
that never expires.” Click Run to create the report.
4. The Table view will be populated with the results. You will now see all of those users with
non-expiring passwords. Take note of the 2nd result for Dana Guyton. This report shows
us that there are 1203 accounts with non-expiring passwords and gives us the account
names including whether the account is a user or service account and if the account is
disabled.
85
UNDERSTAND AND REMEDIATE USERS WITH NON-EXPIRING PASSWORDS
2. Type in “Dana Guyton” into the “Look for” box in the “Recommended Users and Groups”
pane on the right.
3. Right click on her name, click on “Account Management” and then click on “Edit user…”
4. Click OK on the Account Management Configuration prompt.
86
5. An edit user window will appear. Click on the account button on the left and then you will
see a checkbox set for Dana’s account “password never expires.” Uncheck this box. Then
click OK.
7. An action processing window will appear. At the bottom you will see Total: 1 action
succeeded with the description “modify userAccountControl property of Dana Guyton
account to false.” Click Close.
This workflow allowed us to force the password for Dana’s account to expire after the
number of days set by the Password Policy. If we went directly into Active Directory and
looked up the property of Dana’s account, we would see that the “Password Expires”
checkbox is checked.
87
LAB 9: REMEDIATION OF EMPTY ACTIVE DIRECTORY GROUPS
LEARNING OBJECTIVES: In this lab you will learn how to determine where Empty Security
Groups exist and how to remove these groups.
OVERVIEW:
 In general Active Directory groups should not be empty. The only exceptions to this policy
are pre-defined application groups or via internal company standards requiring that
groups are created in advance of when they are used. Examples include
FinanceAppAdmins, FinanceAppPowerUsers, HRAppAdmins, HRAppPowerUsers, etc.
 It’s important to determine if empty Active Directory groups exist by design. If the
situation occurs by accident, DatAdvantage can be used to locate and remove these
groups.
 Empty security groups increase risk by making it easier for a person to gain access to a
folder as the group may exist on an ACL and simply adding a person to this empty group
can avoid access processes.
OUTCOME: At the end of this lab you will have configured and run the report used to identify all
empty Active Directory groups. You will also learn how to use DatAdvantage to delete them.
88
UNDERSTAND AND CONFIGURE REPORT 12.G.01 EMPTY SECURITY GROUPS
REPORT
For the selected domain, this report lists security groups that do not contain members to which
permissions can be assigned (such as groups containing only contact objects).
2. Select the 12.g.01 Empty Security Groups report in the report list pane on the left side of
the window.
89
3. No need to add any filters, simply click the run button.
4. The Table view will be populated with the results. You will now see the Active Directory
groups which do not contain any members. Take note of the 1st result - Accounts. In the
next steps we will demonstrate how to delete this group.
In this lab you learned how to report on the Empty Active Directory groups in customer
environment.
90
REMEDIATION – DELETE EMPTY GROUPS
2. Type in “Accounts” into the “Look for” box in the “Recommended Users and Groups” pane.
You will see that the Accounts group has no members.
3. Right Click on the group, click on “Account Management” and then click on “Delete
group…”
4. A delete group window will pop up. Click the Delete and Commit button.
91
6. Review the change of deleting the Accounts group, click Commit, and then click Yes to
confirm. Once the commit completes, click close.
7. Go back to the work area and search again for the accounts group in the “Recommended
Users and Groups” pane. There are now, no results.
In this lab you learned how to use results of the report from the previous lab and delete
empty groups using Varonis DatAdvantage interface.
92
LAB 10: MEASURING PROGRESS WITH THE REMEDIATION PROJECT
LEARNING OBJECTIVES: In this lab you will run the assessment reports again and compare
the results with the metrics gathered in lab 1. This will allow you to track remediation progress.
You will also understand the importance of establishing an initial benchmark.
OVERVIEW:
 This lab consists of running the same reports as in Lab 1.
 For shorter remediation initiatives the reports can be run once at the beginning to
establish the benchmark and once at the end for the purpose of documenting the
results.
 For longer remediation projects the reports can be run on a periodic basis to report on
the progress or the project.
 You will need to re-run the job calculating the metrics and reset the date to TODAY
again, in order to begin the lab. You should have saved reports from Lab 1 in your My
Documents folder that you will reference.
 NOTE: Because we can’t run specific Management Console jobs in this lab, some
statistics, such as the number of the Broken ACLs, will not be updated. This is because
this remediation is done outside of DatAdvantage and the directories would need to be
rescanned to update the metrics. In the event the customer is using the Incremental
Filewalk, all changes made by the Service Account will not be captured until a FULL
Filewalk is run, as the service account is excluded from monitoring and will not
generate an event.
OUTCOME: You will see and understand the changes resulting from the Remediation process
and be able to explain the meaning of them to the customer.
93
COMPARE CHANGES IN REPORT 14.A.02 – FILE SYSTEM ACTION ITEMS
STATISTICS
You will start with re-running the jobs which gather the necessary statistics.
1. Open the Management Console.
2. The Console will load with all of the maintenance jobs displayed. Under Categories check
off “Advanced Maintenance” then click Apply.
94
3. Right click on the “Calculate Metrics for Trend Reports” job, and select Run Job and wait
for the job to complete (the status will change back to idle when it is done).
4. Close the Management Console. Re-open DatAdvantage (if it is still open, you can skip
this step).
95
5. Select the 14.a.02 File System Action Items Statistics report in the report list pane on the
left side of the window. This report helps identify and highlight many of the file system
issues that have been remediated.
6. On the filters tab, the date will be set to yesterday’s date by default. Click on the
dropdown box and click on the white box on the bottom of the dropdown menu to select
today’s date.
96
7. Select File Server and then click Remove Selected.
8. On the Columns tab scroll down the “Available columns” list, select “No. of Folders with
Unresolved SIDs”, and click the right arrow to add it the report.
9. Select “No. of Folders with Global Access (Inc. Inherited)” and click the right arrow to add
it the report.
10.Move the newly added columns higher in the list.
97
11.Click Run.
12.The Table view will be populated with the results. Compare the results from this report
with the results from the same report generated in Lab 1:
a. Note that folders with global groups decreased from 8 to 7 and folders with global
groups (including inheriting) decreased from 993 to 845.
b. The number of folders with user ACEs decreased from 27 to 26.
c. The number of folders with unresolved SIDs decreased from 7 to 5.
98
UNDERSTAND AND CONFIGURE REPORT 14.D.02 – USER RELATED ACTION
ITEMS (PER DOMAIN)
1. Select the 14.d.02 User Related Action Items (per domain) report in the report list pane
today’s date.
99
3. Select Domain and then click Remove Selected.
4. Click Run.
5. The Table view will be populated with the results. Compare the results from this report
a. Note that the number of users with passwords that never expire decreased from
1196 to 1195.
100
UNDERSTAND AND CONFIGURE REPORT 14.D.03 – GROUP-RELATED
ACTION ITEMS (PER DOMAIN)
1. Select the 14.d.03 Group Related Action Items (per domain) report in the report list pane
today’s date.
101
3. From the filters tab, select Domains and then click Remove Selected.
4. Click Run.
5. The Table view will be populated with the results. Compare the results from this report
a. Note that the number of Empty Active Directory Groups went down to 64 from 65.
102
SUMMARY OF SECTION ONE
In Labs 1 through 10 you learned how to remediate a customer’s environment. You learned why
the identified issues constitute a security risk, how to develop a baseline to measure the risk,
and how to reduce or eliminate the risk.
Labs 1 through 10 specifically refer to the environments or projects where there is no

DataPrivilege installation and all remediation needs to be completed with DatAdvantage. These
labs will also apply to situations where the environment needs to be prepared with
DatAdvantage prior to the implementation of DataPrivilege.
In Section Two, we will build upon the knowledge acquired in the first section and introduce
DataPrivilege to the remediation process. DataPrivilege provides unique capabilities which
automate and simplify the control of access permissions.
103
LAB 11: INSTALLING A REMOTE COMMIT SERVICE
LEARNING OBJECTIVES: In this Lab you will learn how to install the DataPrivilege Commit
Service on remote servers
OVERVIEW:
 In DataPrivilege versions prior to 6.3 we have to manually specify where the changes on
monitored devices will be coming from. In most cases the closest Varonis component is a
collector monitoring that device.
 If network latency between the committing device (by default it’s the IDU) and the
monitored device is too high, the length of time that it takes to apply any permission
changes will increase dramatically and may take days or even weeks to complete.
 Prior to adding any new monitored device into DataPrivilege, make sure to check where
the commit will be coming from to ensure that network latency is lower than 20 ms.
You will NOT be able to perform the steps in the lab due to the nature of the lab, so
please simply review the instructions and be familiar with them.
OUTCOME: In this lab you will learn how to ensure that all changes are performed from the
closest Varonis server. This is especially important for large distributed environments and needs
to be done prior to the remediation process.
104
INSTALLING THE REMOTE COMMIT CAPABILITY FOR DATAPRIVILEGE
1. Open the Varonis IDU Installer and click on the Configuration radio button, and then click
Next.
2. Enter the database credentials, and then click Next.
105
3. Click the “Add/Remove Commit hosts from DataPrivilege” button and click Next.
4. Click the green + button to add a new remote commit host. Then enter the hostname of
the target server and the user name and password of the account you wish to push the
service out with. This account should be local admin on the target server. Finally choose
the path in which the program files are installed, and then click Ok, and then Click Next.
106
5. You will see a summary of the hostname and path where the commit service will be
added. At this point you can choose to add another commit host, or if you are finished,
click Next.
6. Review the configuration and click Next to continue.
107
7. The installer will then push out the commit service to the desired servers.
8. Click Finish and close the installer. This concludes the installation of the remote commit
hosts. We now need to access DataPrivilege and configure the remote Commit services
that will be utilized. Open the DataPrivilege – Administrator shortcut on the desktop.
108
9. Click on the Advanced Administration button on the left, and then click on File Server
Definitions. Once within the File Server Definitions screen, you will see all of the existing
servers that were added to be used in DP, and on the far right column you will see which
commit host is being utilized.
10.Click the blue i (Information) icon to the left of the file server to edit it, and then within
the file server details you will see the Commit Host selection. Click the dropdown and
select the Commit Host which we was previously added. Click OK to proceed.
109
11.After clicking OK it will configure the file server to use the newly selected remote Commit
Host. You will now see the updated column showing the new Commit Host.
This concludes adding a remote Commit Host for use in DP.
In this lab you learned how to add a Remote Commit Host for the purpose of ensuring that
committed changes are made from the closest Varonis server. This is especially important for
large distributed environments and needs to be done prior to the start of the remediation
process.
110
LAB 12: CHANGING PERMISSION MASKS
LEARNING OBJECTIVES: In this Lab you will learn how to customize permission masks to
meet the requirements customers have for assigning different NTFS permissions to their folders.
OVERVIEW:
 The vast majority of customers will choose to have 2 permission masks: Modify and Read
permissions. The Modify mask includes Modify, Execute, Write and Read permissions. The
Read mask includes Execute and Read permissions. Other customers may choose to
include other masks.
 Note that using Read permissions without Execute permissions are rarely useful in
production environments and may lead to issues with inability to run applications and
scripts despite having Read permissions.
OUTCOME: In this lab you will learn how to customize permission masks to suit the goals of the
remediation project as well as customer requirements
1. Open DataPrivilege as the DP Administrator Role by double clicking on the DataPrivilege

Administrator icon on the desktop.
2. From the left pane click on Advanced Administration and then on Permission Types. In
the right pane click on the blue i (Information) icon next to the Read-Only permission to
display the permissions mask configuration pop-up box.
3. In the “Permission type name” textbox, change the name to “Read-No-Execute” (NOTE:
Permission type names are limited to 15 characters and spaces cannot be used). Uncheck
111
the box for “Can be used for new permissions”. This is needed so that this permission is
still visible but it is not manageable in the Base Folders section. This is done in order to
avoid customer accidentally set up Read permission that doesn’t allow execution of
applications, batches or scripts. Click OK.
4. Click on the blue I icon next to the “Read-Write” permission.
5. Uncheck the box for “Can be used for new permissions.” We are doing this because this
permission is unlikely to be used in production environments and we want to disable it.
Most of the time Modify permission mask is used as it allows not only creation and
modification but also deletion of files and folders. Click OK.
112
6. Click on the blue i icon next to Execute permission.
7. Rename it to “Read-Only” and then type in “RO” in the Alias box. The Alias text is used
during auto-generating group names to reduce the number of the characters in the group
name. Check all 3 boxes for the following:
 Visible
 Is Monitored
 Can be used for new permissions
Click OK.
113
8. Click on the blue i icon next to the “Read-Write-Delet” permission.
9. Rename it to “Modify” to match Windows NTFS permission name familiar to the customers
and then Click OK.
114
10. The changes made in the previous steps will ensure that all Base Folders will have only 2
options for granting permissions: Modify and Read-Only.
In this lab you learned how to customize permission masks to suit the goals of the remediation
project. Modify and Read permission masks are most common in remediation engagements,
however customers may wish to add other masks. The third most common mask is Read-Write
that is similar to Modify but is different in the way that users do not have permissions to Delete
files and folders.
115
LAB 13: CREATING MANAGED FOLDERS
LEARNING OBJECTIVES: In this lab you will learn how to create Managed folders using the
DataPrivilege Interface and specific steps that are part of remediation engagement such as
protecting folders from changes on parent level.
OVERVIEW:
 You already learned definition of Base and Managed folders in DataPrivilege Installation
certification. Both definition are also available in standard Varonis documentation.
 Base and Managed Folders are the file system directories that are configured within
DataPrivilege to allow users that have been added to a valid DataPrivilege user group to
request access to a folder. Creating a Base or Managed folder does not make any actual
changes to the filesystem.
 Base and Managed Folders are aligned to the file system directories for which Data
Owners are already responsible for governing. Data Owners will see these directories
when they log in to the Data Ownership portion of DataPrivilege via their browser.
 It is important that Base and Managed Folders are protected from changes in permissions
at the parent level so that changes in permissions on the parent level do not propagate
down to the Base or Managed Folder.
OUTCOME: In this lab you will learn how to create Managed Folders and protect them from the
change of permissions on parent folder level using the DataPrivilege GUI.
1. From the left pane click on Management and then on Folder Owner. Expand the Corp
folder in the center pane and then expand Corporate Finances and select Finance. Click
on Add Folder.
2. Click on the ellipsis below Select Folders. Expand Corp, and then expand Corporate
Finances, and then expand Finance, and then select the Cars folder. Click OK.
116
3. Click Add to move the folder into the bottom pane. Select both permissions that were
created in the previous lab, Modify and Read-Only, by checking the boxes (Note: This will
automatically generate Active Directory group name). Click Next.
4. Click Next.
117
5. Click Finish.
6. Expand the Finance folder and select the “Cars” folder. Click Edit Folders.
118
7. Click on the Make Protected checkbox. This will make the folder protected from the
changes on the Parent level. In Windows, this will remove inheritance from the Parent
folder. Click OK to accept the Warning.
8. Ensure that the “Copy Permissions” checkbox is selected. This will ensure that the
effective permissions will not change. Click Next.
119
9. Click Finish.
120
10.Refresh the browser. Browse to the “Cars” folder. Note that it now has the Key icon on it.
That indicates that the folder is protected from the changes on the Parent level. This
folder is now ready to have new groups populated and old groups removed.
In this lab you learned how to create Managed Folders and protect them from permission
changes on the parent folder level using the DataPrivilege GUI.
121
LAB 14: ADDING OWNER RIGHTS TO THE FOLDERS
LEARNING OBJECTIVES: In this lab you will learn about Owner rights and why it’s important
to limit them prior to remediation.
OVERVIEW:
 In Windows, every person who creates a file or a folder becomes its Owner. By default the
Owner has the right to change access to the file or folder even if they don’t have explicit
Full NTFS rights on the share.
 For example, if we create My_Folder on HR_Share, we then have the rights to remove
access from everyone including IT Admins and only leave access for myself.
 Because NTFS Owner is automatically assigned at the time of file or folder creation, it is
important to lower Owner rights from Full to Modify on the top parent folder.
 It’s important to know that Owner rights are always present. If it is not visible on the ACL
then it has Full rights.
 Just like with any change of permissions, please note that on large folders propagation of
this may take time.
 This right is usually preferred to be hidden from the Data Owner view by the customers
within Advanced Administration ->Excluded Groups menu.
Again, using Owner Rights prevents the object owner from having the ability to edit the
permissions. Here is the use case:
1. We spend countless hours remediating permissions.

2. A business-user creates a new folder and thus becomes the NTFS Owner of that folder
and the data within.
3. The user, using the ability granted to all owners, starts adding “everyone” back to their
folders, messing up all of the remediation work.
 By applying the Owner Rights identity to the ACL, we can remove the ability of the NTFS
Owner to edit the permissions. This helps to ensure that the remediation work that was
performed stays intact going forward.
OUTCOME: After completing this lab you will know how to prevent folder and file creators from
changing permissions to negate the effects of changing the permissions during the remediation
project.
122
1. Click on the “Display Path” next to the “Finance” folder.
2. Right-click on “Controllers” subfolder and select properties.
3. Select the Security tab and click on Edit.
123
4. Click the Add button.
5. In the search dialog box type in “own” without quotes and click OK.
6. With “OWNER RIGHTS” highlighted, check “Modify” for the new Owner Rights account.
Click OK twice to close all properties windows and then close Windows Explorer.
After completing this lab you have learned how to prevent folder and file creators in
DataPrivilege from changing permissions to negate the effects of changing the permissions
during the remediation project.
124
LAB 15: MOVING USERS FROM LEGACY GROUPS INTO NEW ONES
LEARNING OBJECTIVES: In this lab you will learn how and why we recommend creating new
groups and moving existing users into these groups to ensure appropriate access levels. This will
be performed without impacting existing business processes.
OVERVIEW:
 Most organizations don’t have dedicated groups governing access to folders used by these
groups. Instead administrators use existing team/department groups to allow access to
folders. This presents two problems: a) excessive permissions as usually not everyone in
a group works with the same set of data and b) when deciding to grant a user access to
data, it’s not clear which group that person should be added to, especially if the same
group gives access to more than one folder.
 The best method to achieve a least-privilege model is to establish the type of access each
individual employee needs, opposite of the old method of role-based security. Two types
of access that are usually needed are Read-Execute access and Modify access. For each
type of access we will create a new corresponding group. This will ensure a one-to-one
relationship between data and the group requiring access to that data. This eliminates the
risk where adding a user to a group will inadvertently grant that user access to data the
individual should not have access to.
 Once these new groups are created, users can be added to them, thus maintaining the
effective permissions that the user had with the old group. Old groups will later be
removed from the ACL.
 It’s important to allow at least 72 hours between copying users to the new groups and
removing old groups from the ACL. This will ensure that a new authentication token is
generated and that the user does not have to log off their Windows session to maintain
their access. Again, the goal is to make the entire process non-disruptive for the end-
user.
 The Varonis Bulk Upload Utility (BUU) is a standard utility that comes as part of the
DataPrivilege installation. It has to be installed separately and if DataPrivilege is
upgraded, the BUU needs to be upgraded to match the version.
 In this lab the BUU has already been pre-installed.
OUTCOME: After this lab you will be able to explain to the customer why it’s best to create new
groups to allow for one-to-one relationships between Data Access groups and Data folders.
125
1. Double-click on the Bulk Upload Utility icon on the desktop.
2. Click the Export radio button. We will export the existing folders to get the formatting for
the upload report. Click Next.
3. Click Finish once the export process is completed.
4. On the desktop, open Bulk Upload Reports folder.
126
5. Find the report you just created and open it (it will have today’s date in the file name).
6. You will be working with the Managed Folder Cars. Click on the ManagedFolders tab and
copy the data in cell B4.
127
7. Click on the MergeGroups tab, and paste the data from above into cell A2. This will point
the template to the Cars folder.
8. Type “Modify” into cell B2. This will make the template work with the Modify permission
that you had identified in Lab 12.
128
9. Type “corp\Group_Finance” into cell C2 in the MergeGroups tab. Group_Finance is the
Source group where the user accounts will be copied from.
10.Type “X” into cell D2 into the MergeGroups tab. That means that we do want to “flatten”
all embedded groups and copy their members into the new Destination group.
To summarize you just prepared the template to copy all of the users from the group
“Group_Finance” (including members of any nested groups inside of “Group_Finance”)
into a new group that will have an auto-generated name, and will be assigned Modify
permissions in accordance with the Permission Masks set in Lab 12.
129
11.Save the spreadsheet as ImportTemplate.xls on the desktop and then close Excel.
12.Open the Bulk Upload template again from the desktop.
130
13.Keep the radio button option in the Upload position and click Next.
14.Click on Browse and select the saved spreadsheet from above.
131
15.Select Merge Groups and then click Next.s
16.Wait until the process is completed and click Finish to close the window.
17.Switch back to the DataPrivilege window and hit Refresh. Browse to and select the
Finance\Cars folder. In permissions pane expand the new Modify group. You will see the
group members copied from Group_Finance.
132
18.You can now remove the old group. Click on Group_Finance to select it, and then click on
the Remove Permission button. Active Directory group created by DataPrivilege will take
over granting access to this folder.
Warning: In real customer environments, it is recommended to wait at least 72 hours

between populating new groups and removing the old one, in order to allow enough time
for the authentication token to refresh. Otherwise users may have to log off and log back
into their systems to take advantage of the new permissions
19.In the “Reason for removing direct permissions” box type in Remediation. Click OK.
133
20.Wait for the process to be completed. Hit Refresh in the browser, browse back to the Cars
folder, and Select it. The old group is now removed from the ACL and is no longer
displayed in Permissions pane.
In this lab you learned how to use the Bulk Upload Template that comes with DataPrivilege to
create a new group and copy all users from the existing group into the new group. The same
template was used to assign the new group with Modify permissions to the folder.
134
LAB 16: PROPAGATING PERMISSIONS DOWN THE FOLDER TREE
LEARNING OBJECTIVES: In this lab you will learn why and how to propagate permissions
down, from the folder tree that’s being remediated.
OVERVIEW:
 Because permissions are managed on the Base Folder level in DataPrivilege, it’s important
to make sure that all subfolders below the Base Folder fully inherit permissions from the
Base Folder.
 It is beneficial to check the number of nested objects within the Base Folder in order to
estimate the time it takes to propagate permissions through the folder structure. If the
number of objects exceeds 100,000, and it appears that all files and folders already
inherit permissions from the parent folder, report 4F with the filter Unique Permissions =
True can be run to check if propagation is needed.
 In situations where there is one or more subfolders with truly unique permissions, a so-
called “Managed folder” can be created in DataPrivilege underneath the Base Folder.
OUTCOME: You will learn how to propagate permissions from the Base Folder and be able to
explain to the customer why it’s required.
NOTE: The following process is essential for managing permissions within DataPrivilege, however
the actual procedure must be performed outside of DataPrivilege. In this example, the Legal
folder is managed within DataPrivilege, but within this folder, there is a folder named
“payments2K6.xls” where the permissions are not being propagated from the parent folder.
135
In this situation, if a Data Owner added or removed a user from the group controlling access to
the Legal folder, the permissions to the excel file would not be changed. Therefore, a Data
Owner would not be in full control of all the data within the folder. Again, to prevent such
situations you can employ a propagation method to ensure that all subfolders and files within a
Managed folder fully inherit all of the permissions.
1. Open DatAdvantage if not already open.
2. In the Work Area, browse to the Legal folder, right click on it and then select Properties.
3. Click on the Security tab and click Advanced.
136
4. Click on Change Permissions.
5. Click on the “Replace all child object permissions” checkbox and then click OK. Accept the
warning when prompted.
137
6. Wait for the process to complete and then Click OK to close all permission and properties
windows. Now all the items inside the Legal folder are inheriting permissions. The results
will be visible in the Work Area once the full Filewalk and Pullwalk jobs are completed.
In this lab you learned how to propagate permissions from the Base Folder and explain to the
customer why it’s needed.
138
LAB 17: HIDING THE IT ADMINISTRATIVE GROUP WITHIN
DATAPRIVILEGE
LEARNING OBJECTIVES: In this Lab you will learn how to conceal Administrative groups from
the Data Owner’s view.
OVERVIEW:
 An IT Administrative group with FULL control is always required on each folder. Many
times this is the same group that contains the Varonis service account. Data Owners do
not always understand the necessity for Administrators to have access to their data.
Therefore it is a best practice to conceal these administrative groups from the Data
Owner’s view within DataPrivilege so that they do not become confused when reviewing
the ACLs during Entitlement Reviews.
OUTCOME: In this lab you will learn how to exclude Administrative groups from the Data
Owners view and be able to explain why it is needed in most environments.
1. Open DataPrivilege if not already open and click on Management, and then on Folder
Owner.
2. Expand Corp, expand Corporate Finances, and then expand Finance and then select the
Cars folder. Notice that there is an IT Administrative group in the Permissions pane called
“sec_IT-System”. That’s the group that we will conceal from Data Owners’ view because
they will not be managing access of IT Admiistrators.
139
3. Click on Advanced Administration and then on Excluded Groups. Click Add.
4. Click on the ellipsis. Type “sec_IT-s” into the search box in order to find the
Administrative group that needs to be hidden. Select it and then click OK.
140
5. Click Add to move the group down, and then click OK.
141
6. Notice the group is now listed in the Excluded Groups pane. The group will disappear
from the view in the Permissions pane after the nightly DP filewalk job is run.
In this lab you learned how to exclude Administrative groups from the Data Owners view and
explain to the customer why it’s needed.
142
LAB 18: CHECKING FOR PERMISSION CHANGES PERFORMED
OUTSIDE OF DATAPRIVILEGE
LEARNING OBJECTIVES: In this Lab you will learn which reports to run during a remediation
engagement to monitor if changes are made outside of DataPrivilege.
OVERVIEW:
 Even if the IT department notifies Administrators that a remediation project is underway,
there is risk that IT administrators may change permissions and reverse the results of the
remediation project. This is especially true for decentralized multi-national IT division.
 The only proactive way to prevent this is to remove permissions from all IT Administrators
excluding the designated DP Administrative group, and make sure that the DataPrivilege
deployment is communicated widely across all IT departments and teams.
 Every night DataPrivilege checks for permission changes. If a change is made outside of
DP, the change will be flagged by DP as being performed outside of DataPrivilege. It’s
important to review this report and address such issues immediately and proactively.
OUTCOME: In this lab you will learn how to make sure that all permission changes in the
environment were made via DataPrivilege.
1. Click on Reports and then click on Synchronization.
2. Click on Add. Select Timestamp from the drop down menu and change it to between April
5, 2014 and today’s date. Click on Run (it may take a few moments for the report to
appear).
143
3. In the report that appears you can see that Maria Hirasaki and others were removed from
Group_Finance outside of DataPrivilege.
In this lab you learned how to make sure that all permission changes in the environment are
made via DataPrivilege.
144
SUMMARY OF THE REMEDIATION PROCESS
To recap, below are the steps and knowledge transfer that the labs provided:
Section 1:
LAB 1: During this lab you ran the Pre-Remediation Assessment Reports which were used to
determine the initial state of risk in the customer’s environment.
LAB 2: This Lab demonstrated how to identify and repair Broken Access Control Lists using both
the DatAdvantage GUI and Reports.
LAB 3: The area of highest risk in most companies is when Global Groups are used to provide
access to folders. In this lab you learned how to identify where Global Groups exist, and
model the removal of these groups to ensure a least privilege model.
LAB 4: The second area of highest risk in most organizations occurs when users have access to
data that they don’t need access to. In this lab you learned about DatAdvantage
Recommendations and how to use them to reduce over-permissive access.
LAB 5: In this lab you determined how to identify which data has not been used and can be
safely archived or deleted.
LAB 6: Many customers delete user accounts without regard for the impact on an ACL. In this
lab you learned how to identify and remove unnecessary Security Identifiers (SIDs) from an
ACL.
LAB 7: The best practice for granting access to data is by adding a user to an Active Directory
group. Many customers ignore this and add a user directly to an ACL. In this lab you
identified where these issues exist and remediated them.
LAB 8: In this lab you identified which accounts have non-expiring passwords and corrected this
issue to ensure that a proper password change policy exists.
LAB 9: In this lab you identified the AD groups which did not contain any users and eliminated
them.
LAB 10: In this final lab of Section One, you reproduced the reports generated in Lab 1 (the
initial assessment), and reviewed the progress made in the remediation process.
145
Section 2:
LAB 11: During this lab you learned how to establish what server commits the change
(Committing) applied within DataPrivilege and why this knowledge is important.
LAB 12: It’s important to define Permission Masks prior to the start of the remediation. In this
lab you learned how to create the most common permission masks.
LAB 13: This lab walked you through creating Managed folders while using the DataPrivilege
GUI.
LAB 14: Without proactively limiting NTFS Owner rights, remediation can be reversed. You
learned how to set these rights as one of the initial steps in remediation.
LAB 15: The Bulk Upload Utility is a tool that allows for remediation on a large scale. You learned
the most common workflow for this tool.
LAB 16: In order to allow Data Owners to be in full control of access to their data, you need to
make sure that all files and folders within Base or Managed folders are fully inheriting
permissions. You learned how to do so in this lab.
LAB 17: There will always be an IT Administrative group with Full NTFS permissions on each
folder. Because Data Owners will not manage members of that group, you learned how to
hide it from the view.
LAB 18: Lastly during any long remediation process there may be IT staff bypassing
DataPrivilege and making changes without a Data Owner’s approval. To stay on top of this
potential issue, you learned how to use the Synchronization report.
146

PS Remediation Lab Guide

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

PS Remediation Lab Guide

Загружено:

Авторское право:

Доступные форматы

Varonis Unstructured Data

Varonis Certification Lab

SUMMARY OF THE REMEDIATION PROCESS ................................................................................................ 6

LAB 1: RUN PRE-REMEDIATION ASSESSMENT ............................................................................................. 8

PREPARE THE SYSTEM FOR THE ASSESSMENT REPORTS .................................................................................. 9

LAB 2: REPAIR BROKEN ACCESS CONTROL LISTS (ACLS) ........................................................................... 19

UNDERSTAND AND REMEDIATE – BROKEN ACLS ............................................................................................ 25

LAB 3: GLOBAL GROUP REMEDIATION ....................................................................................................... 30

LAB 4: REMEDIATING OVERPERMISSIVE NON-ADMINISRATIVE USER/GROUP PERMISSIONS .................. 48

ACTING ON VARONIS RECOMMENDATIONS ................................................................................................... 57

UNDERSTAND AND REMEDIATE OVERPERMISSIVE NON-ADMINISTRATIVE USER/GROUP PERMISSIONS ............... 59

LAB 5: STALE DATA REPORTING................................................................................................................. 61

UNDERSTAND AND CONFIGURE REPORT 7.B.01 – INACTIVE DIRECTORIES BY SIZE .......................................... 62

LAB 6: REMEDIATION OF DEAD SIDS DUE TO DELETED ACCOUNTS ............................................................ 65

REMEDIATION OF ACLS WITH UNRESOLVED SIDS: ........................................................................................ 68

LAB 7: REMEDIATING AND RESOLVING DIRECT USER ASSIGNMENT ON AN ACL ........................................ 71

UNDERSTAND AND CONFIGURE REPORT 12.D.01 – INDIVIDUAL USERS ON AN ACE .......................................... 72

LAB 8: REMEDIATING ACCOUNTS CONFIGURED WITH NON-EXPIRING PASSWORDS ................................. 83

UNDERSTAND AND REMEDIATE USERS WITH NON-EXPIRING PASSWORDS ....................................................... 86

LAB 9: REMEDIATION OF EMPTY ACTIVE DIRECTORY GROUPS .................................................................. 88

LAB 10: MEASURING PROGRESS WITH THE REMEDIATION PROJECT ......................................................... 93

LAB 11: INSTALLING A REMOTE COMMIT SERVICE .................................................................................. 104

INSTALLING THE REMOTE COMMIT CAPABILITY FOR DATAPRIVILEGE............................................................. 105

LAB 12: CHANGING PERMISSION MASKS ................................................................................................. 111

LAB 13: CREATING MANAGED FOLDERS ................................................................................................... 116

LAB 14: ADDING OWNER RIGHTS TO THE FOLDERS ................................................................................. 122

LAB 16: PROPAGATING PERMISSIONS DOWN THE FOLDER TREE............................................................. 135

SUMMARY OF THE REMEDIATION PROCESS ............................................................................................. 145

Name Date Revision # Revision Description

ACCESSING THE VIRTUAL TRAINING ENVIRONMENT

1. Open the Management Console.

4. Close the Management Console.

1. Open up DatAdvantage (if not already open).

2. Click the Reports button at the top of the DatAdvantage window.

OVERVIEW: The goal of this lab is to:

2. Click on Work Area at the top of the DatAdvantage window.

1. Click the Reports button at the top of the DatAdvantage window.

4. Click New filter.

1. Click on Work Area at the top of the DatAdvantage window.

8. Click the Change Permissions buttons.

11. Click OK on all remaining windows.

1. Within DatAdvantage, click the Reports button.

1. Click on Work Area at the top of the DatAdvantage window.

7. Click on the Synchronize button to confirm.

 DatAdvantage Recommendations are only provided on group membership in Active

1. Within DatAdvantage, click the Reports button.

1. Click on Work Area at the top of the DatAdvantage window.

2. Browse for the “C:\Share\Legal\corporate\consulting” folder in corpfs02a and right click

1. Click the Reports button at the top of the DatAdvantage window.

The date represents the date of creation of the recommendation.

1. Click on the Work Area at the top of the DatAdvantage window.

1. Click the Reports button at the top of the DatAdvantage window.

4. You will see 7 results including the “Market” folder.

1. Click on the Work Area at the top of the DatAdvantage window.

1. Click the Reports button at the top of the DatAdvantage window.

1. Click on the Work Area at the top of the DatAdvantage window.

1. Click the Reports button at the top of the DatAdvantage window.

1. Click on the Work Area at the top of the DatAdvantage window.

4. Click OK on the Account Management Configuration prompt.

1. Click the Reports button at the top of the DatAdvantage window.

1. Click on the Work Area at the top of the DatAdvantage window.

1. Open the Management Console.

10.Move the newly added columns higher in the list.

Labs 1 through 10 specifically refer to the environments or projects where there is no