RE: Securely allowing the helpdesk to change file permissions / data store structures
- From: "Bowers, Jeramy J" <jebowers@xxxxxxxxx>
- Date: Wed, 12 Sep 2007 13:08:51 -0400
This would be a good time to examine the file/permissions structure, and
overhaul if necessary. Methods that don't work are where there are
individual userids are assigned to a folder, and there is no papertrail
to determine when a user was given access. Leads to a lot of empty SIDs
on a folder, and users with permissions that stick when they move from
one position to another within a company.
One good method is to assign permissions for every folder based upon
group membership. And all changes to group membership are handled by
the helpdesk. Server admins create the groups and assigned them to
folders. Based on existing permissions, that could be departments,
labs, and projects, or some other completely different paradigm.
Another good method is to create a group for each position within the
company. Then, assign the position (group) to the folders it needs to
access. Again, adding and removing the group from folders would need to
be well documented. Also, there would be one group for each employee.
I'm not sure if that would be more or less groups than you already have.
Oh, and document everything. Did I mention you should have good
policies and procedures in place, educate the IT staff, and then enforce
them?
Jay Bowers
Security Analyst
Indianapolis, IN
-----Original Message-----
From: Gary Collis [mailto:onesl1fox@xxxxxxxxxxxxxxxx]
Sent: Monday, September 10, 2007 2:51 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Securely allowing the helpdesk to change file permissions /
data store structures
Hi,
We have a helpdesk that will soon be moving away from having domain
admin priveliges. At the minute NTFS file permission change requests
go through the helpdesk and the helpdesk execute accordingly. However
as they will be losing their domain admin priv's I would like to allow
them to continue doing this wihout giving them permssion to read the
data itself.
I would also like your views on the most effective way to structe data
store permisisoning across the company. e.g. We have a folder per
department now and grant people priveliges when requested and approved
by department head, but this often becomes messy as we have numerous
people with read access in some folders, write access in others,
modify access to some files etc etc.
How do other people approach these two issues?
Thanks,
- Follow-Ups:
- References:
- Prev by Date: RE: Threat vector of running a service using a domain account
- Next by Date: Re: Securely allowing the helpdesk to change file permissions / data store structures
- Previous by thread: Re: Securely allowing the helpdesk to change file permissions / data store structures
- Next by thread: Re: Securely allowing the helpdesk to change file permissions / data store structures
- Index(es):
Relevant Pages
|
Loading
