You also need to appreciate application-level permissions. Most network applications have varying levels of access control for an application. While a user may not be a network or domain administrator, he or she may have privileged access inside a particular application. This access is just as important as operating system permissions.
In a large organization, it is not unusual for a common network application to have dozens or even a hundred or more admins. If a computer is completely compromised, the hacker can access anything available to the affected user, including application data.
That hypothetical hacker may not be able to take over the domain or dump any other user's passwords, but can download and change any data in the application database. Ultimately, most of today's hackers are after exactly that: application data. They compromise OS accounts and permissions as a way to get to the data.
Note that I haven't included the problems of multiple operating systems, mobile platforms, data copied to nonmanaged systems, access to offline data (such as tape backups), and many more complications. To get a completely accurate account of what access a particular person has to all the resources in a company takes a really granular and comprehensive survey by a really smart tool. And that tool does not exist.
I have no doubt vendors will claim their tool can determine who has what access to every object in the environment. I'll be glad to be schooled about a new, great tool. But I've been teaching computer security for more than two decades, including a decade-plus spent working with computer security auditors, and I can tell you that no tool comes close to doing a decent job.
Some tools can search many of the computers in your environment and tell you which users and groups can access particular objects. Getting just that information is more than most people have. Most of these tools work by running a query on each computer and compiling all the findings in a large database. You can then query that database to find out who has what access to which files and folders. The query is run on a regular basis to update the database.
On the downside, these tools never cover all object types (registry keys, memory areas, metadata), rarely understand the impact of group nesting, don't take into account the user's overall access to a computer (local vs. remote), and never cover all operating systems and platforms. But if you don't have a tool that can at least do the basics, you probably need to get one. Otherwise, you won't have a clue as to what is going on.
Allow me to make two other recommendations. First, use groups as much as possible to set permissions. This has long been a best practice for security pros. We want to reduce individual access-control designations as much as possible. If you can confirm that all access is accorded only by group membership, then getting the whole access-control picture is easier.
Second, take advantage of tools that let you set and document access control from a centralized console. Within those tools you can often easily determine who has access to what -- when the access control has been set by the tool, that is. Many directory services, applications, and role-based access-control systems have this capability. My only caveat is that they often don't understand group nesting well or apply to all objects in the enterprise. But some centralized control is better than no centralized control.
I welcome reader or vendor recommenations on access-control query tools. But the sad fact is, we cannot reliably answer the supposedly easy question: Who has access to what?
This story, "You want to know who has access to what? Good luck," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.