# Dataforth — File Shares & Permissions Remediation: Roadmap **Owner:** ACG (Howard) · **Client:** Dataforth (Dan Center, primary IT contact) **Started:** 2026-06-10 · **Status:** Phase 0 complete; Phase 1 (client input) pending email **Goal:** Move Dataforth from "every share open to every employee" to a **least-privilege, department-based access model** built on AD security groups, with sensitive data (payroll, OSHA, financials) properly restricted — without breaking the DOS/test-datasheet infrastructure or the in-flight post-ransomware file-recovery audit. Related docs: [current-state-2026-06-10.md](./current-state-2026-06-10.md) (plain client-facing overview) · [acl-audit-detail-2026-06-10.md](./acl-audit-detail-2026-06-10.md) (internal technical baseline) · [discovery-email-draft.md](./discovery-email-draft.md) (client ask) --- ## Why now The 2026-06-10 read-only audit confirmed: all eight business shares grant access to all staff via `Everyone` / `Domain Users`, with `Domain Users:FullControl` on four of them (archive, sales, Engineering, sage). Payroll, OSHA injury logs, purchase orders, and accounting data are readable and writable by every employee. This is both a security/insider-risk problem and a compliance gap, and it follows a 2025 ransomware incident — tightening share access materially reduces blast radius of any future credential compromise. --- ## Guiding principles (target model) - **Department-based AD security groups**, granted on resources; users join groups. Naming: `SG--` (e.g. `SG-Sales-RW`, `SG-Accounting-RW`, `SG-Engineering-RO`). - **Least privilege:** users get **Modify** (not Full); only Administrators/owners get FullControl. Remove `Everyone`. Replace blanket `Domain Users` with department groups. - **Access-Based Enumeration (ABE)** on every share so users see only what they can open. - **Share ACL = permissive, NTFS = authoritative** (standard pattern): set share to `Authenticated Users:Full` (or the relevant groups), enforce real access at NTFS via groups. - **Sensitive shares isolated:** Payroll/HR, OSHA, Accounting/Finance get their own restricted groups, broken inheritance, no `Domain Users`. - **Infra/app shares excluded** from the department model and handled case-by-case: `test` (DOS/SMB1 guest — leave open), `webshare` (preserve `svc_testdatadb`), `ITSvc` (IT-RW + computers/all-RO), `NETLOGON`/`SYSVOL` (never touch). - **Change is staged and reversible:** snapshot every ACL before change; one share at a time; pilot user validation before flipping `Everyone`/`Domain Users` off. --- ## Phases ### Phase 0 — Discovery (DONE 2026-06-10) - [x] Read-only enumeration of shares, top-level folders, share ACLs, NTFS root ACLs on AD1/AD2/FILES-D1/SAGE-SQL. - [x] Baseline written: `current-state-2026-06-10.md`. - [x] Confirmed: no department groups; Domain Users has Modify/Full on all shares; sensitive data exposed. ### Phase 1 — Client input (BLOCKING — pending) Send the discovery email to Dataforth and capture their answers. We need: 1. **Department list** confirmed/corrected (starter list in the email). 2. **Department → share access matrix** — for each share: which departments get **Read/Write**, **Read-Only**, or **No access**. 3. **Sensitive-data rules** — who exactly may access Payroll, OSHA, Purchase Orders, Accounting/Sage (named people or a small group). 4. **Department rosters** — which employees belong to which department (or an org chart / they map names to departments). 5. **Legacy cleanup decisions** — which "Do not use"/person-named/legacy folders can be archived or deleted. 6. **Special cases** — execs who see everything, individuals with cross-department needs, external/contractor access. - [ ] Email sent (recipients to be set by ACG). - [ ] Replies received and logged into this folder. ### Phase 2 — Target-state design (after Phase 1) - [ ] Build the **AD security group list** (per share/department, RW + RO variants) with naming convention. - [ ] Build the **permission matrix**: groups × shares with explicit Modify/Read/none. - [ ] Decide **structure changes**: folder consolidation, legacy archive/delete list, whether to recreate the missing `staff` share, Engineering volume/letter cleanup. - [ ] Decide **drive-mapping changes** (GPO) — keep current letters or map by group. - [ ] Plan handling of the four special shares (test/webshare/ITSvc/sage-app). - [ ] **Sign-off from Dataforth** on the matrix before any change. ### Phase 3 — Build (staged, reversible) - [ ] Snapshot/export current ACLs for every share (`icacls /save` or `Get-Acl` export) → store in this folder. - [ ] Create AD security groups; populate membership from the rosters. - [ ] Per share, in a controlled order (lowest-risk first, e.g. `archive` → `sales` → `e-drive`/`c-drive` → `Engineering` → sensitive last): - Break inheritance where needed, add department groups (Modify), keep SYSTEM/Administrators Full. - Apply ABE; set share ACL to permissive. - **Leave `Domain Users`/`Everyone` in place initially** (additive) and validate with a pilot user in each department. - [ ] Update GPO drive mappings if the model changes letters/targets. ### Phase 4 — Cutover & validate - [ ] Per share, once validated: **remove `Everyone` and `Domain Users`** (the enforcement step). - [ ] Walk each department through their access; resolve "I can't get to X" tickets quickly (add to group, not re-open the share). - [ ] Lock down the sensitive shares last, with explicit HR/Accounting confirmation. - [ ] Archive/remove approved legacy folders (after the migration-gap audit clears them). ### Phase 5 — Document & handoff - [ ] Update the Dataforth wiki (shares map + new group model + matrix). - [ ] Record group→share matrix as the source of truth in this folder. - [ ] Vault any new service accounts (none expected). - [ ] Set a review cadence (e.g. quarterly access review with Dan/HR). - [ ] Bill per phase against the prepaid block (live-check `GET /customers/578095`). --- ## Risks & watch-items - **Breaking app dependencies:** DOS stations (`test`), datasheet pipeline (`webshare`/`svc_testdatadb`), Sage (`sage` app paths), GageTrak, Epicor shortcuts. Validate before removing broad access. - **Migration-gap audit overlap:** don't delete/move data the review-only audit still needs; sequence cleanup after it clears each share. - **AD1 C: 90% full:** no staging copies on AD1; Engineering restructure needs a destination decision. - **Hidden hard-coded UNC paths:** scripts/apps may reference `\\server\share\...` with assumed open access — surface during pilot validation. - **Double-hop limitation:** ACL changes run locally on each file server (as SYSTEM via RMM) — fine; cross-server file moves use the documented GPO-mapped-drive workaround. - **Single point of contact:** confirm Dan Center is authoritative for access decisions, or who signs off on the sensitive-data rules (likely needs HR/Finance input). --- ## Open questions for ACG (internal, before/with the email) - Confirm email recipients/sender (Dan Center primary; CC Kevin Wackerly? Mike or Howard sending?). - Is HR/Finance input needed directly for payroll/OSHA/PO rules, or does Dan relay? - Do we recreate the missing `staff` share in this project or keep it separate? - Budget/timeline expectations (prepaid block — scope the build phase into billable chunks).