Security Basics mailing list archives

Re: Securely allowing the helpdesk to change file permissions / data store structures

From: MaddHatter <maddhatt+securitybasics () cat pdx edu>
Date: Wed, 12 Sep 2007 00:38:43 -0700

We have a helpdesk that will soon be moving away from having domain 
admin priveliges. At the minute NTFS file permission change requests 
go through the helpdesk and the helpdesk execute accordingly. However 
as they will be losing their domain admin priv's I would like to allow 
them to continue doing this wihout giving them permssion to read the 
data itself.

I would also like your views on the most effective way to structe data 
store permisisoning across the company.


As you're probably aware, domain admin rights just to change 
filesystem permissions is killing a cockroach with a bazooka... 
never a good idea for security. Windows will allow you to grant a 
user rights to change permissions without granting them read access 
to the data. However, that approach is a false security at best 
because one could easily change the permissions to grant oneself 
read access, copy the data, then revoke the self-granted read 
access. Without auditing and careful log analysis in place, this 
breach would likely go unnoticed, and you've done nothing to 
prevent it in the first place.

A better approach might be to give the help desk authorized, 
logged, and secure access to a web page that can enqueue filesystem
permission change requests. Some regularly-scheduled script run
from a secure server could then execute the queued requests as 
often as necessary. The help desk has no elevated operating system 
rights, but they can still make changes. Their changes are logged
and carefully sanitized so as to to prevent changes beyond the 
scope of their job. Your task then becomes securing and sanitizing 
a well-defined interface rather than granting and having to audit 
overly broad operating system security rights.

As for structuring data storage, it's impossible to give any 
reasonable answer without knowing more about the available storage
infrastructure, criticality of the data, frequency of updates, 
needs of the users, and so forth. Is it insufficient to just have
each user work out of their home directory? (A home directory, I
would assume, that is mapped to a server, not their local 
workstations.)

Current thread:

Securely allowing the helpdesk to change file permissions / data store structures Gary Collis (Sep 11)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)
  - RE: Securely allowing the helpdesk to change file permissions / data store structures Monrad.DC (Sep 12)
    - RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 13)
- Re: Securely allowing the helpdesk to change file permissions / data store structures MaddHatter (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Bowers, Jeramy J (Sep 12)
  - Re: Securely allowing the helpdesk to change file permissions / data store structures gjgowey (Sep 13)
- Re: Securely allowing the helpdesk to change file permissions / data store structures Ansgar -59cobalt- Wiechers (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Eggleston, Mark (Sep 12)