Backing up data is one of the most effective ways of protecting against data loss. A data backup stores a copy of the information on a computer to removable backup media that can be kept in a safe place. If the computer hardware fails, the data can be restored from the backup to functional hardware.
Data backups should be performed on a regular basis as identified in the security policy. Data backups are usually stored offsite to protect the backup media if anything happens to the main facility. Windows hosts have a backup and restore utility. This is useful for users to backup their data to another drive or to a cloud-based storage provider. The macOS includes the Time Machine utility to perform backup and restore functions.
Click each + button in the figure to learn about backup consideration.
The image has clickable buttons to learn more about different Data Backup Considerations: Frequency definition, perform backups on a regular basis as identified in the security policy. Full backups can be time-consuming, therefore perform monthly or weekly full backups with frequent partial backups of changed files. Storage definition, backups should be transported to an approved offsite storage location on a daily, weekly, or monthly rotation, as required by the security policy. Validation definition, backups should be protected using strong passwords. The password is required to restore data. Storage definition, always validate backups to ensure the integrity of the data and validate the file restoration procedures.
File and Folder Permissions
Permissions are rules you configure to limit folder or file access for an individual or for a group of users. The figure lists the permissions that are available for files and folders.
To configure file- or folder-level permissions in all versions of Windows, right-click the file or folder and select Properties > Security > Edit…
Users should be limited to only the resources they need in a computer or on a network. For example, they should not be able to access all files on a server if they only need access to a single folder. It may be easier to provide users access to the entire drive, but it is more secure to limit access to only the folder that is needed to perform their job. This is known as the principle of least privilege. Limiting access to resources also prevents malicious programs from accessing those resources if the user’s computer becomes infected.
Folder redirection allows a user with administrative privileges to redirect the path of a local folder to a folder on a network share. This makes the folder’s data available to the user when they log into any computer on the network where the network share is located. With user data redirected from local to network storage, administrators can back up the user data when the network data folders are backed up.
File and network share permissions can be granted to individuals or through membership within a group. These share permissions are much different than file and folder level NTFS permissions. If an individual or a group is denied permissions to a network share, this denial overrides any other permissions given. For example, if you deny someone permission to a network share, the user cannot access that share, even if the user is the administrator or part of the administrator group. The local security policy must outline which resources and the type of access allowed for each user and group.
When the permissions of a folder are changed, you are given the option to apply the same permissions to all sub-folders. This is known as permission propagation. Permission propagation is an easy way to apply permissions to many files and folders quickly. After parent folder permissions have been set, folders and files that are created inside the parent folder inherit the permissions of the parent folder.
Also, the location of the data and the action performed on the data determine how the permissions are propagated:
- Data is moved to the same volume – It will keep the original permissions
- Data is copied to the same volume – It will inherit new permissions
- Data is moved to a different volume – It will inherit new permissions
- Data is copied to a different volume – It will inherit new permissions
The image is a list of File and Folder Permissions and what they mean. Full Control definition, see the content of a file or folder. Change and delete existing files and folders.Create new files and folders. Run programs in a folder. Modify definition, change and delete existing files and folders. Users cannot create new files or folders. Read and Execute definition, see the contents of existing files or folders and run programs in a folder. Read definition, see the contents of a folder and open files and folders. Write definition, create new files and folders. Make changes to existing files and folders.