RE: Securely allowing the helpdesk to change file permissions / data store structures

["Crawley, Jim" <Jim.Crawley () yrbrands com>]

        The first step is giving them enough access to get to the server
via remote desktop.  That's easy to do via local security policies,
specifying either local or domain groups that are allowed to remote
control the server.  

        Our helpdesk is only allowed to create/modify user personal
drives, not the shared company drive.  For this reason they're given
read/list contents access from the root of the storage drive and only
full control from "users" onwards.  This allows them to create user
directories & set permissions.  

        The tricky part is creating the shares.  As far as I've been
able to find there's no security policies that change who can/can't
create these.  All I've found is that you have to be a member of "Power
Users" or "Administrators".  For this reason, the helpdesk's group is
added to the local "Power Users" group.

        Seems to work ok for us.

        The helpdesk used to do all file permissions until a number of
permissions were screwed up VERY badly giving full read access to all
staff to confidential finance data.  For one line of business this was
discovered by IT before anyone else learnt about it, unfortunately for
another line of business the users found out first and we were alerted
by a very angry CFO.

        Learn from my mistakes, limit NTFS permissions tightly to those
who you trust can do their job properly or at the very least voluntarily
take responsibility for their own stuff-ups (we're all only human after
all).


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Gary Collis
Sent: Tuesday, 11 September 2007 4:51 AM
To: security-basics () securityfocus com
Subject: Securely allowing the helpdesk to change file permissions /
data store structures

Hi,
> We have a helpdesk that will soon be moving away from having domain 
> admin priveliges. At the minute NTFS file permission change requests 
> go through the helpdesk and the helpdesk execute accordingly. However 
> as they will be losing their domain admin priv's I would like to allow

> them to continue doing this wihout giving them permssion to read the 
> data itself.
>
> I would also like your views on the most effective way to structe data

> store permisisoning across the company. e.g. We have a folder per 
> department now and grant people priveliges when requested and approved

> by department head, but this often becomes messy as we have numerous 
> people with read access in some folders, write access in others, 
> modify access to some files etc etc.
>
>  How do other people approach these two issues?
>
> Thanks,
>
>