Everyone is not a "Security Group"
-
So I had a conversation today about a network share, and was told "just give everyone access to it".
Um no.... everyone is not a security group that you use. Period. Its the reason for creating dedicated network shares that you have custom security groups.
Get a grip people.... allowing "everyone" is not secure!
-
We have a door with a lock but we never lock it. What's the point of having it then?
-
Sure it is. That is the point of a public share with common stuff.
-
@JaredBusch said in Everyone is not a "Security Group":
Sure it is. That is the point of a public share with common stuff.
If the goal is to share HR records with everyone. Sure, then everyone counts as a security group. Of "we don't care who accesses what"
-
@DustinB3403 said in Everyone is not a "Security Group":
@JaredBusch said in Everyone is not a "Security Group":
Sure it is. That is the point of a public share with common stuff.
If the goal is to share HR records with everyone. Sure, then everyone counts as a security group. Of "we don't care who accesses what"
Nothing in your original post mentioned anything about a certain group. You broadly criticized a standard practice.
-
My argument was in regards to the people I work around and their broken mindset of "everyone needs access" or "just add the everyone group".
My OP I thought was very clear in that I was ranting a bit. But ok...
-
@DustinB3403 said
My OP I thought was very clear in that I was ranting a bit. But ok...
It looked like a rant about ever using the "everyone" group in AD. I know what you mean now though.
-
@Breffni-Potter said in Everyone is not a "Security Group":
@DustinB3403 said
My OP I thought was very clear in that I was ranting a bit. But ok...
It looked like a rant about ever using the "everyone" group in AD. I know what you mean now though.
I had thought the same thing.
-
@DustinB3403 said in Everyone is not a "Security Group":
My argument was in regards to the people I work around and their broken mindset of "everyone needs access" or "just add the everyone group".
My OP I thought was very clear in that I was ranting a bit. But ok...
Well, in those cases, who should be blocked from access, do you feel?
-
I have seen a few of those requests. Usually we still don't use the everyone group just in case you need to restrict the access for any reason, you'll have that ability to remove him from the security group it falls in. Also, things can change in the future and you don't know if everyone will need access forever. That's my take.
-
@scottalanmiller said in Everyone is not a "Security Group":
@DustinB3403 said in Everyone is not a "Security Group":
My argument was in regards to the people I work around and their broken mindset of "everyone needs access" or "just add the everyone group".
My OP I thought was very clear in that I was ranting a bit. But ok...
Well, in those cases, who should be blocked from access, do you feel?
By default I would say "not everyone".
Allow even an existing security group. But the "everyone" security group is not providing any security.
Might as well allow anonymous access.
-
@DustinB3403 said in Everyone is not a "Security Group":
@scottalanmiller said in Everyone is not a "Security Group":
@DustinB3403 said in Everyone is not a "Security Group":
My argument was in regards to the people I work around and their broken mindset of "everyone needs access" or "just add the everyone group".
My OP I thought was very clear in that I was ranting a bit. But ok...
Well, in those cases, who should be blocked from access, do you feel?
By default I would say "not everyone".
Allow even an existing security group. But the "everyone" security group is not providing any security.
Might as well allow anonymous access.
Everyone does mean anonymous. This might just be a language thing. Someone outside of IT should not be aware of the "everyone" group. If they are saying "everyone" they should not be meaning that group, they probably just mean "Domain Users."
-
@scottalanmiller said in Everyone is not a "Security Group":
@DustinB3403 said in Everyone is not a "Security Group":
@scottalanmiller said in Everyone is not a "Security Group":
@DustinB3403 said in Everyone is not a "Security Group":
My argument was in regards to the people I work around and their broken mindset of "everyone needs access" or "just add the everyone group".
My OP I thought was very clear in that I was ranting a bit. But ok...
Well, in those cases, who should be blocked from access, do you feel?
By default I would say "not everyone".
Allow even an existing security group. But the "everyone" security group is not providing any security.
Might as well allow anonymous access.
Everyone does mean anonymous. This might just be a language thing. Someone outside of IT should not be aware of the "everyone" group. If they are saying "everyone" they should not be meaning that group, they probably just mean "Domain Users."
Everyone does not include anonymous. It is just about everything up to that point including guest and service accounts: https://blog.varonis.com/the-difference-between-everyone-and-authenticated-users/.
