Re: Securely allowing the helpdesk to change file permissions / data store structures
- From: gjgowey@xxxxxxxxxxxxxxxxxx
- Date: Thu, 13 Sep 2007 00:31:24 +0000
One thing you might want to consider is writing a small client/server program (it could be done in vbscript) that has the server portion running under a domain admin account and the client simply tells it what shares to setup/modify. You can customize the logic of the server portion so someone can't do something misguided with the permissions. Standard ad permissions can be used to controll who has access to talk to the server portion.
Geoff
Sent from my BlackBerry wireless handheld.
-----Original Message-----
From: "Bowers, Jeramy J" <jebowers@xxxxxxxxx>
Date: Wed, 12 Sep 2007 13:08:51
To:<security-basics@xxxxxxxxxxxxxxxxx>
Cc:"Gary Collis" <onesl1fox@xxxxxxxxxxxxxxxx>
Subject: RE: Securely allowing the helpdesk to change file permissions / data store structures
This would be a good time to examine the file/permissions structure, and
overhaul if necessary. Methods that don't work are where there are
individual userids are assigned to a folder, and there is no papertrail
to determine when a user was given access. Leads to a lot of empty SIDs
on a folder, and users with permissions that stick when they move from
one position to another within a company.
One good method is to assign permissions for every folder based upon
group membership. And all changes to group membership are handled by
the helpdesk. Server admins create the groups and assigned them to
folders. Based on existing permissions, that could be departments,
labs, and projects, or some other completely different paradigm.
Another good method is to create a group for each position within the
company. Then, assign the position (group) to the folders it needs to
access. Again, adding and removing the group from folders would need to
be well documented. Also, there would be one group for each employee.
I'm not sure if that would be more or less groups than you already have.
Oh, and document everything. Did I mention you should have good
policies and procedures in place, educate the IT staff, and then enforce
them?
Jay Bowers
Security Analyst
Indianapolis, IN
-----Original Message-----
From: Gary Collis [mailto:onesl1fox@xxxxxxxxxxxxxxxx]
Sent: Monday, September 10, 2007 2:51 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Securely allowing the helpdesk to change file permissions /
data store structures
Hi,
We have a helpdesk that will soon be moving away from having domain
admin priveliges. At the minute NTFS file permission change requests
go through the helpdesk and the helpdesk execute accordingly. However
as they will be losing their domain admin priv's I would like to allow
them to continue doing this wihout giving them permssion to read the
data itself.
I would also like your views on the most effective way to structe data
store permisisoning across the company. e.g. We have a folder per
department now and grant people priveliges when requested and approved
by department head, but this often becomes messy as we have numerous
people with read access in some folders, write access in others,
modify access to some files etc etc.
How do other people approach these two issues?
Thanks,
- References:
- Securely allowing the helpdesk to change file permissions / data store structures
- From: Gary Collis
- RE: Securely allowing the helpdesk to change file permissions / data store structures
- From: Bowers, Jeramy J
- Securely allowing the helpdesk to change file permissions / data store structures
- Prev by Date: Re: Threat vector of running a service using a domain account
- Next by Date: RE: Advice regarding servers and Wiping Drives after testing
- Previous by thread: RE: Securely allowing the helpdesk to change file permissions / data store structures
- Next by thread: Re: Securely allowing the helpdesk to change file permissions / data store structures
- Index(es):
Relevant Pages
|
