Security Basics mailing list archives
Re: Securely allowing the helpdesk to change file permissions / data store structures
From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Wed, 12 Sep 2007 00:38:43 -0700
We have a helpdesk that will soon be moving away from having domain admin priveliges. At the minute NTFS file permission change requests go through the helpdesk and the helpdesk execute accordingly. However as they will be losing their domain admin priv's I would like to allow them to continue doing this wihout giving them permssion to read the data itself. I would also like your views on the most effective way to structe data store permisisoning across the company.
As you're probably aware, domain admin rights just to change filesystem permissions is killing a cockroach with a bazooka... never a good idea for security. Windows will allow you to grant a user rights to change permissions without granting them read access to the data. However, that approach is a false security at best because one could easily change the permissions to grant oneself read access, copy the data, then revoke the self-granted read access. Without auditing and careful log analysis in place, this breach would likely go unnoticed, and you've done nothing to prevent it in the first place. A better approach might be to give the help desk authorized, logged, and secure access to a web page that can enqueue filesystem permission change requests. Some regularly-scheduled script run from a secure server could then execute the queued requests as often as necessary. The help desk has no elevated operating system rights, but they can still make changes. Their changes are logged and carefully sanitized so as to to prevent changes beyond the scope of their job. Your task then becomes securing and sanitizing a well-defined interface rather than granting and having to audit overly broad operating system security rights. As for structuring data storage, it's impossible to give any reasonable answer without knowing more about the available storage infrastructure, criticality of the data, frequency of updates, needs of the users, and so forth. Is it insufficient to just have each user work out of their home directory? (A home directory, I would assume, that is mapped to a server, not their local workstations.)
Current thread:
- Securely allowing the helpdesk to change file permissions / data store structures Gary Collis (Sep 11)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures MaddHatter (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Bowers, Jeramy J (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures Ansgar -59cobalt- Wiechers (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Eggleston, Mark (Sep 12)