Re: Securely allowing the helpdesk to change file permissions / data store structures

[gjgowey () tmo blackberry net]

One thing you might want to consider is writing a small client/server program (it could be done in vbscript) that has 
the server portion running under a domain admin account and the client simply tells it what shares to setup/modify. You 
can customize the logic of the server portion so someone can't do something misguided with the permissions.  Standard 
ad permissions can be used to controll who has access to talk to the server portion.

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Bowers, Jeramy J" <jebowers () iupui edu>

Date: Wed, 12 Sep 2007 13:08:51 
To:<security-basics () securityfocus com>
Cc:"Gary Collis" <onesl1fox () 27 eclipse co uk>
Subject: RE: Securely allowing the helpdesk to change file permissions / data store structures


This would be a good time to examine the file/permissions structure, and
overhaul if necessary.  Methods that don't work are where there are
individual userids are assigned to a folder, and there is no papertrail
to determine when a user was given access.  Leads to a lot of empty SIDs
on a folder, and users with permissions that stick when they move from
one position to another within a company.

One good method is to assign permissions for every folder based upon
group membership.  And all changes to group membership are handled by
the helpdesk.  Server admins create the groups and assigned them to
folders.  Based on existing permissions, that could be departments,
labs, and projects, or some other completely different paradigm.

Another good method is to create a group for each position within the
company.  Then, assign the position (group) to the folders it needs to
access.  Again, adding and removing the group from folders would need to
be well documented.  Also, there would be one group for each employee.
I'm not sure if that would be more or less groups than you already have.


Oh, and document everything.  Did I mention you should have good
policies and procedures in place, educate the IT staff, and then enforce
them?

Jay Bowers
Security Analyst
Indianapolis, IN

-----Original Message-----
From: Gary Collis [mailto:onesl1fox () 27 eclipse co uk] 
Sent: Monday, September 10, 2007 2:51 PM
To: security-basics () securityfocus com
Subject: Securely allowing the helpdesk to change file permissions /
data store structures

Hi,
> We have a helpdesk that will soon be moving away from having domain 
> admin priveliges. At the minute NTFS file permission change requests 
> go through the helpdesk and the helpdesk execute accordingly. However 
> as they will be losing their domain admin priv's I would like to allow

> them to continue doing this wihout giving them permssion to read the 
> data itself.
>
> I would also like your views on the most effective way to structe data

> store permisisoning across the company. e.g. We have a folder per 
> department now and grant people priveliges when requested and approved

> by department head, but this often becomes messy as we have numerous 
> people with read access in some folders, write access in others, 
> modify access to some files etc etc.
>
>  How do other people approach these two issues?
>
> Thanks,
>
>