No "Everyone" or open ACLs on shared paths
Demonstrate that shared network paths, file shares, and directories are configured with explicit, role-based access control lists that exclude overly permissive groups such as 'Everyone' or anonymous access.
Description
What this control does
This control prohibits the use of open access control lists (ACLs) that grant permissions to overly broad groups such as 'Everyone', 'Authenticated Users', 'Domain Users', or anonymous access on shared network paths, file shares, and directories. Organizations must restrict share-level and NTFS-level permissions to explicitly named security groups or individual accounts with a documented business need. Open ACLs expose sensitive data to unauthorized internal users, contractors, and in some cases external attackers who gain initial access, violating the principle of least privilege and creating significant data leakage risk.
Control objective
What auditing this proves
Demonstrate that shared network paths, file shares, and directories are configured with explicit, role-based access control lists that exclude overly permissive groups such as 'Everyone' or anonymous access.
Associated risks
Risks this control addresses
- Unauthorized internal users accessing confidential financial records, intellectual property, or customer data stored on file shares with 'Everyone' permissions
- Lateral movement by attackers who compromise a low-privilege account and leverage open share ACLs to access sensitive systems, scripts, or credentials
- Data exfiltration through anonymous or guest access to shares containing proprietary source code, design documents, or trade secrets
- Compliance violations under GDPR, HIPAA, or PCI DSS when personal or regulated data is accessible to all authenticated domain users without business justification
- Malware propagation across the organization when attackers write malicious executables or scripts to world-writable shared directories
- Accidental data deletion or modification by users who gain write access through overly permissive 'Domain Users' or 'Authenticated Users' ACLs
- Privilege escalation when configuration files, scheduled task scripts, or service account credentials stored in open shares are readable by standard users
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all network file shares, DFS namespaces, and shared directories across Windows file servers, NAS devices, and cloud storage mounts (e.g., Azure Files, AWS FSx) from the IT asset database or network scanning tools.
- Extract share-level and NTFS-level ACL configurations for each shared path using PowerShell (Get-SmbShare, Get-Acl), native file server auditing tools, or third-party ACL reporting utilities.
- Parse the ACL exports to identify any permissions granted to 'Everyone', 'Anonymous', 'Guest', 'Authenticated Users', 'Domain Users', or equivalent overly broad security principals.
- For each flagged share, review the share purpose, data classification, and documented business justification in the access control policy or share provisioning records.
- Select a sample of 15-20 shares across different business units and data sensitivity levels, then manually verify ACL configurations via administrative console or direct server inspection to validate automated scan accuracy.
- Interview file server administrators and data owners to confirm awareness of ACL review procedures, approval workflows for new shares, and remediation timelines for identified open permissions.
- Review access recertification logs or periodic ACL audit reports from the past 12 months to verify that management actively monitors and remediates overly permissive share configurations.
- Test a sample share identified as compliant by attempting access from a standard user account that should not have permissions, confirming that access is denied at both share and NTFS levels.
Where this control is tested