Security Basics mailing list archives
RE: Securely allowing the helpdesk to change file permissions / data store structures
From: "Crawley, Jim" <Jim.Crawley () yrbrands com>
Date: Wed, 12 Sep 2007 15:31:05 +1000
The first step is giving them enough access to get to the server via remote desktop. That's easy to do via local security policies, specifying either local or domain groups that are allowed to remote control the server. Our helpdesk is only allowed to create/modify user personal drives, not the shared company drive. For this reason they're given read/list contents access from the root of the storage drive and only full control from "users" onwards. This allows them to create user directories & set permissions. The tricky part is creating the shares. As far as I've been able to find there's no security policies that change who can/can't create these. All I've found is that you have to be a member of "Power Users" or "Administrators". For this reason, the helpdesk's group is added to the local "Power Users" group. Seems to work ok for us. The helpdesk used to do all file permissions until a number of permissions were screwed up VERY badly giving full read access to all staff to confidential finance data. For one line of business this was discovered by IT before anyone else learnt about it, unfortunately for another line of business the users found out first and we were alerted by a very angry CFO. Learn from my mistakes, limit NTFS permissions tightly to those who you trust can do their job properly or at the very least voluntarily take responsibility for their own stuff-ups (we're all only human after all). -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Gary Collis Sent: Tuesday, 11 September 2007 4:51 AM To: security-basics () securityfocus com Subject: Securely allowing the helpdesk to change file permissions / data store structures Hi,
We have a helpdesk that will soon be moving away from having domain admin priveliges. At the minute NTFS file permission change requests go through the helpdesk and the helpdesk execute accordingly. However as they will be losing their domain admin priv's I would like to allow
them to continue doing this wihout giving them permssion to read the data itself. I would also like your views on the most effective way to structe data
store permisisoning across the company. e.g. We have a folder per department now and grant people priveliges when requested and approved
by department head, but this often becomes messy as we have numerous people with read access in some folders, write access in others, modify access to some files etc etc. How do other people approach these two issues? Thanks,
Current thread:
- Securely allowing the helpdesk to change file permissions / data store structures Gary Collis (Sep 11)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures MaddHatter (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Bowers, Jeramy J (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures Ansgar -59cobalt- Wiechers (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Eggleston, Mark (Sep 12)