Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Use Tags
What is a Tag?Tag Management - OverviewHow to Create a TagTag ExamplesWhat Conditional Tag filters work best together?Which Conditional Tag filters identify public exposure?Which Conditional Tag Filters Capture Authenticated Users?Which Conditional Tag Filters Capture Contractor Access?Which Trustees are High Risk?How do I Combine Multiple Trustee Filters?How to Manage Your Target TagsHow to Manage the Permissions of a TagHow to View and Search for TagsHow to Edit a TagHow to Delete a TagHow to Filter Tags
How to Manage Business Processes
How to Work with Data Assets and Targets
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Reports
Settings and Resources
Additional Resources
Release Notes
Reporting API
Customer Support Articles

Which Trustees are High Risk?

In the context of data security and Spirion governance, High-Risk Trustees are those that grant access to a broad, non-specific, or unauthenticated group of people.

If sensitive data (like SSNs or Credit Card numbers) is found in a file where these trustees have permissions, it is considered a Critical Exposure because the data is essentially "unlocked" for anyone on the network.

1. The "Public" Trustees (Highest Risk)

These are the most dangerous because they often include people who are not even employees (contractors, guests, or even malicious actors on the network).

  • Everyone: This is the "Red Alert" value. It means every single person who can touch the network or the machine has access to that sensitive file.
  • Guest / Guests: Grants access to temporary accounts or people without permanent credentials.
  • ANONYMOUS LOGON: Allows access to a file without requiring any username or password at all.

2. The "Broad Internal" Trustees (Medium-High Risk)

While these require a company login, they are still high risk because they don't follow the "Principle of Least Privilege." There is rarely a reason for the entire company to have access to a sensitive file.

  • Authenticated Users: Includes every single person with a valid domain login. If a Marketing intern can read a Finance spreadsheet because of this trustee, it is a compliance violation.
  • Domain Users: Similar to Authenticated Users; it represents the entire employee population.
  • Interactive: Anyone currently logged into the physical machine.

3. The "Administrative" Trustees (Privileged Risk)

These aren't "public," but they are high risk because they represent Privileged Access. If these accounts are compromised, the attacker has "the keys to the kingdom."

  • Domain Admins: If sensitive data is only accessible by Domain Admins, it’s safer than "Everyone," but it still represents a target for attackers.
  • Local Administrators: If a user is a local admin on their own machine, they can bypass other security controls to get to sensitive data.

How to use this in Tag Management

You should create a "Critical Exposure" tag to automatically flag these risks.

Filter Logic Example:

  • Field: ACL: Trustee
  • Operator: Contains
  • Value: Everyone
  • OR
  • Field: ACL: Trustee
  • Operator: Contains
  • Value: Guest

The Result: Any machine where Spirion finds sensitive data accessible by these groups will be instantly tagged. You can then set up an Alert to email your security team the moment this tag is applied.

Summary Table

Trustee Value

Risk Level

Why?

Everyone

CRITICAL

Zero restriction; anyone can read the data.

Anonymous

CRITICAL

No login required; highest possible exposure.

Guest

HIGH

Access for non-employees/temporary users.

Authenticated Users

MEDIUM-HIGH

Too broad; violates "Least Privilege."

Domain Users

MEDIUM-HIGH

Every employee can see the data.

Tip: When auditing these, look for the "Permissions" type. A trustee with "Read" access is a data leak risk; a trustee with "Full Control" is a data destruction/ransomware risk.

Was this article helpful?

Powered by Product Fruits