Security Basics mailing list archives
RE: Securely allowing the helpdesk to change file permissions / data store structures
From: "Crawley, Jim" <Jim.Crawley () yrbrands com>
Date: Thu, 13 Sep 2007 09:06:06 +1000
One solution for the Share side of this issue is to create a generic share \\server\finUsers$ and then create user folders under this share. Share rights set to Full for [admin]/[tech group] and modify/change for the [user group(finUsers)].
That's actually how we're doing it now for personal drives. "\\server\users$" has "read" and "list contents" access applied to that directory only so people can traverse to their own directory and the most helpdesk can screw up is by not giving the person access to their own directory or giving them too much. The helpdesk themselves only have access to subfolders and files. I've been going crazy with "special permissions" as of late, it's well worth it due to how badly things have been done in the past. I've got a very long weekend of re-creating shares ahead of me due to a weird setup for the largest site for user directories. Currently the user directories are under a few different directories, not all consistent and together. For the above solution to work they all need to be under one directory. I'm hopeless at scripting, otherwise I'd code something that could look at the share name (which is always the username) and grant permissions from there. :/
This would be a good time to examine the file/permissions structure,
and
overhaul if necessary. Methods that don't work are where there are individual userids are assigned to a folder, and there is no
papertrail
to determine when a user was given access. Leads to a lot of empty
SIDs
on a folder, and users with permissions that stick when they move from one position to another within a company.
That's essentially what I did for shared drives when I found this issue and took ownership of permissions, revoking it from the helpdesk. All permissions are assigned to groups and the helpdesk now just needs to add/remove people from said groups. They only need access for peoples personal drives which are the only ones where rights are assigned to individuals. I was quite amazed and shocked to see the bad practises and hap-hazard ways things had been done prior to my taking over these tasks.
Current thread:
- Securely allowing the helpdesk to change file permissions / data store structures Gary Collis (Sep 11)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Monrad.DC (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 13)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Monrad.DC (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures MaddHatter (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Bowers, Jeramy J (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures Ansgar -59cobalt- Wiechers (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Eggleston, Mark (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)