RE: Securely allowing the helpdesk to change file permissions / data store structures
- From: <Monrad.DC@xxxxxxxxxxxx>
- Date: Wed, 12 Sep 2007 12:59:42 -0400
One solution for the Share side of this issue is to create a generic share \\server\finUsers$ and then create user folders under this share. Share rights set to Full for [admin]/[tech group] and modify/change for the [user group(finUsers)].
Only one share is needed for each section/branch so no admin rights reqr by techs.
NTFS is read/traverse through the root share for the users group, then locked to Modify for the user and full for the tech group.
Drew
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]On Behalf Of Crawley, Jim
Sent: Wednesday, September 12, 2007 1:31 AM
To: Gary Collis; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Securely allowing the helpdesk to change file permissions /
data store structures
The first step is giving them enough access to get to the server
via remote desktop. That's easy to do via local security policies,
specifying either local or domain groups that are allowed to remote
control the server.
Our helpdesk is only allowed to create/modify user personal
drives, not the shared company drive. For this reason they're given
read/list contents access from the root of the storage drive and only
full control from "users" onwards. This allows them to create user
directories & set permissions.
The tricky part is creating the shares. As far as I've been
able to find there's no security policies that change who can/can't
create these. All I've found is that you have to be a member of "Power
Users" or "Administrators". For this reason, the helpdesk's group is
added to the local "Power Users" group.
Seems to work ok for us.
The helpdesk used to do all file permissions until a number of
permissions were screwed up VERY badly giving full read access to all
staff to confidential finance data. For one line of business this was
discovered by IT before anyone else learnt about it, unfortunately for
another line of business the users found out first and we were alerted
by a very angry CFO.
Learn from my mistakes, limit NTFS permissions tightly to those
who you trust can do their job properly or at the very least voluntarily
take responsibility for their own stuff-ups (we're all only human after
all).
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Gary Collis
Sent: Tuesday, 11 September 2007 4:51 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Securely allowing the helpdesk to change file permissions /
data store structures
Hi,
We have a helpdesk that will soon be moving away from having domain
admin priveliges. At the minute NTFS file permission change requests
go through the helpdesk and the helpdesk execute accordingly. However
as they will be losing their domain admin priv's I would like to allow
them to continue doing this wihout giving them permssion to read the
data itself.
I would also like your views on the most effective way to structe data
store permisisoning across the company. e.g. We have a folder per
department now and grant people priveliges when requested and approved
by department head, but this often becomes messy as we have numerous
people with read access in some folders, write access in others,
modify access to some files etc etc.
How do other people approach these two issues?
Thanks,
- Follow-Ups:
- References:
- Prev by Date: Re: Advice regarding servers and Wiping Drives after testing
- Next by Date: Re: Advice regarding servers and Wiping Drives after testing
- Previous by thread: RE: Securely allowing the helpdesk to change file permissions / data store structures
- Next by thread: RE: Securely allowing the helpdesk to change file permissions / data store structures
- Index(es):
Relevant Pages
|
