azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-10 20:21:07

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-10 20:21:07
This commit is contained in:
Howard Enos
2026-06-10 20:21:20 -07:00
parent 9c56690270
commit 83133ddce3
6 changed files with 536 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
clients/dataforth/docs/projects/shares-permissions/roadmap.md Normal file
View File

@@ -0,0 +1,94 @@
# Dataforth — File Shares & Permissions Remediation: Roadmap
**Owner:** ACG (Howard) · **Client:** Dataforth (Dan Center, primary IT contact)
**Started:** 2026-06-10 · **Status:** Phase 0 complete; Phase 1 (client input) pending email
**Goal:** Move Dataforth from "every share open to every employee" to a **least-privilege, department-based access model** built on AD security groups, with sensitive data (payroll, OSHA, financials) properly restricted — without breaking the DOS/test-datasheet infrastructure or the in-flight post-ransomware file-recovery audit.
Related docs: [current-state-2026-06-10.md](./current-state-2026-06-10.md) (plain client-facing overview) · [acl-audit-detail-2026-06-10.md](./acl-audit-detail-2026-06-10.md) (internal technical baseline) · [discovery-email-draft.md](./discovery-email-draft.md) (client ask)
---
## Why now
The 2026-06-10 read-only audit confirmed: all eight business shares grant access to all staff via `Everyone` / `Domain Users`, with `Domain Users:FullControl` on four of them (archive, sales, Engineering, sage). Payroll, OSHA injury logs, purchase orders, and accounting data are readable and writable by every employee. This is both a security/insider-risk problem and a compliance gap, and it follows a 2025 ransomware incident — tightening share access materially reduces blast radius of any future credential compromise.
---
## Guiding principles (target model)
- **Department-based AD security groups**, granted on resources; users join groups. Naming: `SG-<Resource>-<RW|RO>` (e.g. `SG-Sales-RW`, `SG-Accounting-RW`, `SG-Engineering-RO`).
- **Least privilege:** users get **Modify** (not Full); only Administrators/owners get FullControl. Remove `Everyone`. Replace blanket `Domain Users` with department groups.
- **Access-Based Enumeration (ABE)** on every share so users see only what they can open.
- **Share ACL = permissive, NTFS = authoritative** (standard pattern): set share to `Authenticated Users:Full` (or the relevant groups), enforce real access at NTFS via groups.
- **Sensitive shares isolated:** Payroll/HR, OSHA, Accounting/Finance get their own restricted groups, broken inheritance, no `Domain Users`.
- **Infra/app shares excluded** from the department model and handled case-by-case: `test` (DOS/SMB1 guest — leave open), `webshare` (preserve `svc_testdatadb`), `ITSvc` (IT-RW + computers/all-RO), `NETLOGON`/`SYSVOL` (never touch).
- **Change is staged and reversible:** snapshot every ACL before change; one share at a time; pilot user validation before flipping `Everyone`/`Domain Users` off.
---
## Phases
### Phase 0 — Discovery (DONE 2026-06-10)
- [x] Read-only enumeration of shares, top-level folders, share ACLs, NTFS root ACLs on AD1/AD2/FILES-D1/SAGE-SQL.
- [x] Baseline written: `current-state-2026-06-10.md`.
- [x] Confirmed: no department groups; Domain Users has Modify/Full on all shares; sensitive data exposed.
### Phase 1 — Client input (BLOCKING — pending)
Send the discovery email to Dataforth and capture their answers. We need:
1. **Department list** confirmed/corrected (starter list in the email).
2. **Department → share access matrix** — for each share: which departments get **Read/Write**, **Read-Only**, or **No access**.
3. **Sensitive-data rules** — who exactly may access Payroll, OSHA, Purchase Orders, Accounting/Sage (named people or a small group).
4. **Department rosters** — which employees belong to which department (or an org chart / they map names to departments).
5. **Legacy cleanup decisions** — which "Do not use"/person-named/legacy folders can be archived or deleted.
6. **Special cases** — execs who see everything, individuals with cross-department needs, external/contractor access.
- [ ] Email sent (recipients to be set by ACG).
- [ ] Replies received and logged into this folder.
### Phase 2 — Target-state design (after Phase 1)
- [ ] Build the **AD security group list** (per share/department, RW + RO variants) with naming convention.
- [ ] Build the **permission matrix**: groups × shares with explicit Modify/Read/none.
- [ ] Decide **structure changes**: folder consolidation, legacy archive/delete list, whether to recreate the missing `staff` share, Engineering volume/letter cleanup.
- [ ] Decide **drive-mapping changes** (GPO) — keep current letters or map by group.
- [ ] Plan handling of the four special shares (test/webshare/ITSvc/sage-app).
- [ ] **Sign-off from Dataforth** on the matrix before any change.
### Phase 3 — Build (staged, reversible)
- [ ] Snapshot/export current ACLs for every share (`icacls /save` or `Get-Acl` export) → store in this folder.
- [ ] Create AD security groups; populate membership from the rosters.
- [ ] Per share, in a controlled order (lowest-risk first, e.g. `archive``sales``e-drive`/`c-drive``Engineering` → sensitive last):
- Break inheritance where needed, add department groups (Modify), keep SYSTEM/Administrators Full.
- Apply ABE; set share ACL to permissive.
- **Leave `Domain Users`/`Everyone` in place initially** (additive) and validate with a pilot user in each department.
- [ ] Update GPO drive mappings if the model changes letters/targets.
### Phase 4 — Cutover & validate
- [ ] Per share, once validated: **remove `Everyone` and `Domain Users`** (the enforcement step).
- [ ] Walk each department through their access; resolve "I can't get to X" tickets quickly (add to group, not re-open the share).
- [ ] Lock down the sensitive shares last, with explicit HR/Accounting confirmation.
- [ ] Archive/remove approved legacy folders (after the migration-gap audit clears them).
### Phase 5 — Document & handoff
- [ ] Update the Dataforth wiki (shares map + new group model + matrix).
- [ ] Record group→share matrix as the source of truth in this folder.
- [ ] Vault any new service accounts (none expected).
- [ ] Set a review cadence (e.g. quarterly access review with Dan/HR).
- [ ] Bill per phase against the prepaid block (live-check `GET /customers/578095`).
---
## Risks & watch-items
- **Breaking app dependencies:** DOS stations (`test`), datasheet pipeline (`webshare`/`svc_testdatadb`), Sage (`sage` app paths), GageTrak, Epicor shortcuts. Validate before removing broad access.
- **Migration-gap audit overlap:** don't delete/move data the review-only audit still needs; sequence cleanup after it clears each share.
- **AD1 C: 90% full:** no staging copies on AD1; Engineering restructure needs a destination decision.
- **Hidden hard-coded UNC paths:** scripts/apps may reference `\\server\share\...` with assumed open access — surface during pilot validation.
- **Double-hop limitation:** ACL changes run locally on each file server (as SYSTEM via RMM) — fine; cross-server file moves use the documented GPO-mapped-drive workaround.
- **Single point of contact:** confirm Dan Center is authoritative for access decisions, or who signs off on the sensitive-data rules (likely needs HR/Finance input).
---
## Open questions for ACG (internal, before/with the email)
- Confirm email recipients/sender (Dan Center primary; CC Kevin Wackerly? Mike or Howard sending?).
- Is HR/Finance input needed directly for payroll/OSHA/PO rules, or does Dan relay?
- Do we recreate the missing `staff` share in this project or keep it separate?
- Budget/timeline expectations (prepaid block — scope the build phase into billable chunks).