The extraordinary thing about the current Wikileaks news is that the documents were obtained by someone with relatively low level privileges. In fact, almost all of the documents that seem to turn up on sites like Wikileaks were obtained by people who in the lower echelons of their organization.
The scale of the Wikileaks information dump indicates a profound failure in the application of security using Access Control Lists (ACL). The form of ACL that most people reading this article will be familiar with is NTFS and Shared folder permissions. One thing I’ve noticed as both a trainer and as an author is that a lot of experienced people fundamentally misunderstand how permissions work, especially when you combine NTFS with Shared Folder permissions. When you get to the stage of having to work out permissions through memberships of nested groups at both levels, what you generally end up with is an administrator who is flummoxed. Which is why in all probability (though I can’t say for sure), the reason that the people who obtained the documents that later leaked were able to do so was that the security permissions that protected those documents weren’t properly applied. And if they, in theory, aren’t properly applied at places like the US Military or State Department, what are the chances that they are properly applied at the place where you work?
There is no perfect solution that ensures that documents that your organization wants kept secret cannot be leaked and posted on the internet. If someone who has legitimate access to a document wants to share it, there is a good chance that they’ll be able to do that. What you can do is ensure that low level people that should not have access to important documents don’t. A more reliable way of ensuring that the access that should be granted to the document is the access granted to the document is through technologies such as Active Directory Rights Management Services.
AD RMS is a technology that has been included with the
Windows Server operating system since Server 2003 R2. To grossly simplify how
AD RMS works - rather than assigning permissions to accounts on at the file
level, you use digital rights management technology to configure rights at the
document level. When you configure rights at the document level, it doesn’t
matter what NTFS or Share permissions are assigned at the file level. Unless
someone is given the right to open a document, they can’t open it. You can even block people from opening
sensitive documents on computers outside the domain. These rights are enforced
by applications and managed centrally through Active Directory. AD RMS allows
you to revoke rights to a document once the document has been distributed should
you so choose. You can also go further and segment a user’s rights so that one
user might be able to read a document, but is unable to copy any aspect of that
document (including taking a screenshot). You can also stop a user from
printing a document. AD RMS also fully
integrates with Exchange, so people can’t forward sensitive documents outside
the organization unless they are explicitly given permission to do so. With AD
RMS, you can’t open a document unless the application supports AD RMS. The document is essentially in an encrypted
locked off state until someone who has the rights to open it does so with an
application that can obtain a license to that document from the central AD RMS
server. If the application doesn’t support AD RMS, the file is unreadable.
What this means from the perspective of stopping a Wikileaks
type event is that if someone is surfing file shares at the organization and
copying everything to which they have access to a local storage device they won’t
be able to open those copied files unless they actually have been granted the
right to do so. 250,000 files obtained from various file shares are pretty
useless if you don’t have the ability to open any of them.
AD RMS does have the ability to perform license recovery so
that an Administrator could recover a document that they haven’t been directly
granted rights to, but this process can be secured and in the cases of the
documents that are turning up in places like Wikileaks, it isn’t the sysadmins
that are doing the leaking. At the moment rogue sysadmins aren’t the problem,
but procedures can be put in place to lock them down as well.
AD RMS is a nifty technology that has been included with
Windows Server operating systems for some time. As organizations become more
aware of the perils of information leakage (and with the exposure wikileaks is
getting, how can they not be aware of it?), they are going to want to look at
solutions that minimize the possibility of an embarrassing data dump turning up
on a public web site. AD RMS won’t prevent all information from leaking, but it
will do a better job of stopping leaks than NTFS and Shared Folder permissions
currently do.
