Microsoft Research Blog

The Microsoft Research blog provides in-depth views and perspectives from our researchers, scientists and engineers, plus information about noteworthy events and conferences, scholarships, and fellowships designed for academic and scientific communities.

MACE: Taking Control of Network Access

April 16, 2013 | By Microsoft blog editor

Posted by Rob Knies

MACE logo

Any businessperson in a large organization can testify about the challenges growth can bring. As a business gets larger, for example, the number of employees increases. Further growth might mean multiple offices—some, perhaps, located in distant lands.

Ideally, you want your employees all tied into the same network, accessing the appropriate resources and communicating effectively. That can grow difficult, though, once the employee count begins to rise and spills into multiple locations. Managing access to network resources is important—and it isn’t easy.

That’s where Management of Access Control in the Enterprise (MACE) comes in. This tool, available for download, enables administrators to collect data from one or more servers and visualize that information to understand who has access to what—which user or security group has read/write access to which resources, be it folders, shares, or File Classification Infrastructure (FCI) files.

“Maintaining correct access control to shared network resources such as file servers is an important aspect of good data management, says Ajay Manchepalli, senior research program manager for Microsoft Research India. “Misconfiguration can lead to information loss, can cause security vulnerabilities, and can open the possibility for insider attacks.”

The stakes are high, and the work is difficult.

“The ability to identify these misconfigurations and prevent exploitation is hard,” Manchepalli says. “We believe this cannot be purely a human effort.

“One of the first steps in this direction is the ability to collect and visualize the data in a way that enables the administrator or business owner to understand the current state of affairs and visually prove or drill into the data and understand how it is working.”

The fluid nature of a large employee base adds to the challenge. People can change roles, change jobs, or even change companies. Project priorities might change. Human error occurs. Written rules and policies for network-resource access are useful, but such documentation does not occur often, and even when it does exist, it can become outdated.

MACE, which includes concise user documentation, includes two components designed to help businesses reduce the risks that can hamper network-access control. The first is a data collector. An administrator managing a server farm could control access to sensitive resources. Knowing who has or doesn’t have access to those resources is vital, and that’s where the data collector helps. It collects two distinct types of data from each server:

  • Effective permissions on folders, shares, and FCI files.
  • Group and user information from Active Directory.

The second MACE component is a data visualizer, which, Manchepalli says, can play a key role in enabling better control of network access.

“Relying on an administrator or the owner of data to stay on top of who has access to data is arduous and prone to error,” he says. “Apart from reducing errors, a good visualization tool can go a long way to reduce the overall effort from the standpoints of both time and resources.”

One of the key contributions made by MACE is its ability to address a complex issue with a relatively simple solution.

“Problems  can be complex and hard,” Manchepalli says, “but the solutions need not be. This is one such example. MACE exemplifies the importance of good, intuitive data visualization.”