Quick viewing(Text Mode)

Security of Client Files in a Network Environment Shared with an Outside Entity

Security of Client Files in a Network Environment Shared with an Outside Entity

Security of Client Files in a Network Environment Shared With an Outside Entity

By the PRI staff

If a law firm is sharing space with another firm or business, can a common local area network (LAN) be used—for example, to share a broadband connection to the Internet? The answer is “Yes” – with a caveat. If a law firm shares a LAN with an outside entity, tight file security must be in place to ensure there is no unauthorized access of client and firm files.

In a pure environment, implementation of “lock-down” levels of file security is possible, but only possible with Windows NT or Windows 2000-level servers properly configured for centralized network file storage. server is another server with superior security.

If the firm us using peer-to-peer networking, i.e. sharing files between workstations, the degree of file system security needed to limit access to client files cannot be accomplished. If this is the case, then the only solution is to split the network, so that each entity -- Law Firm and Company for instance -- is on a segregated LAN segment and therefore cannot see each other’s machines. No between entities could take place in this instance. People within each entity on their own LAN segment could still share files.

If the firm has implemented networked centralized file storage using a Windows NT or Windows 2000-series server operating system, then the server must be installed with hard drives formatted as NTFS (Next Technology File System) rather than FAT32 ( 32 Bit). The difference, for the purpose of this discussion, is the degree of file system security that can be implemented. NTFS is the only Microsoft file system format that allows sufficient access security control over the data file structure adequate to protect client files in a shared server environment. Additionally, all users must log-in to the server for access using a unique user ID and password.

With proper planning and good implementation of file system security, it is possible to protect each entity’s data even if that data resides on the same physical hard drive on the same file server. However, the design and implementation of the firm’s data storage security should be done by a network professional.

Here’s how you might do this.

With a NTFS file system, the administrator can assign various rights to each file and/or directory on an NTFS partition. Rights can be assigned according to individual users, or groups of users, allowing or denying reading, writing, execution, deletion, and other attributes.

The preferred approach to managing file system security is to create group of users and assign rights, depending upon the needs of that group.

It is possible to assign rights to individual users. However, that degree of granularity makes it difficult to administer rights, as users come and go from the organization. Instead, assign the rights to the group, and then add a new user to the appropriate group or groups to which the user should belong. Group membership gives the user the appropriate rights. When a user leaves, simply remove the user from the assigned group(s) to prevent unauthorized access after the departure.

For example, create a group called “Title Company,” and another called “Law Firm.” The Title Company group has assigned rights to those file directories belonging to the Title Company, and no access rights assigned for any Law Firm file directories. The Law Firm gets Law Firm rights, but not Title Company rights. The end result is each can access only appropriate files.

Some Recommendations:

1. Have your service provider verify that all desktop operating systems are Windows NT, 2000 or XP. These are the only ones that support NTFS.

2. If an operating system is found to be something other than one of the three named in Recommendation 1, have your computer service provider upgrade it to NT, 2000 or XP Professional.*

3. If the hard drives on the NT, Windows 2000-series servers are formatted as FAT or FAT32, have your computer service provider those drives to NTFS.

4. Do the same to your desktop hard drives as well. This can be done only on a Windows NT, 2000 or XP machine. /98/ME first must be upgraded to one of the higher-level operating systems.

5. Make sure that access to the server resources requires User Login with a unique user ID and unique password.

6. Have your computer service provider or Administrator create groups, and assign rights to the file system for the groups. Assign users appropriately as members of groups, to give individuals access to appropriate areas of the file structure.

7. Ideally the hierarchical structure of the folders on the storage drive should look something like the diagram at the end of the article. This structure “trees” the Law Firm files separately from the Title Company. This can easily be achieved if you are installing a new server and setting up the storage system for the first time. If you have an existing system, your provider may need to reorganize the file structure.

8. Even though it can be done as described above, PRI recommends that a shared file server or shared network be a last resort. Much preferred is the security which comes from separating the entities entirely – two separate physical networks in every way.

Top View