Security Basics mailing list archives
RE: Securely allowing the helpdesk to change file permissions / data store structures
From: "Eggleston, Mark" <meggleston () HEALTHPART COM>
Date: Wed, 12 Sep 2007 08:13:28 -0400
We encountered this same issue a few years back. You can delegate rights to helpdesk to administer global groups to help with NTFS permissions (and also monitor security event logs for who made changes in global groups - event ID #641 I believe). We structured our user data across four "drives" as follows, which each have the same structure modeled after our org chart: M:\ My department (These files are only accessible by each department; no one outside of each department can see the files stored here). O:\ Open (These files can only be posted by the department; everyone else at the company can only read.) S:\ Shared/Secure (A secure area for each department & another department to share files, it is not visible by others unless the user previously requested specific permissions for others. This is the only area you we modify permissions!) R:\Reports (A read only area where produced data reports are housed for customer access. This location is for temporary storage of data and is routinely purged.) Hope this helps, Mark -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Gary Collis Sent: Monday, September 10, 2007 2:51 PM To: security-basics () securityfocus com Subject: Securely allowing the helpdesk to change file permissions / data store structures Hi,
We have a helpdesk that will soon be moving away from having domain admin priveliges. At the minute NTFS file permission change requests go through the helpdesk and the helpdesk execute accordingly. However as they will be losing their domain admin priv's I would like to allow
them to continue doing this wihout giving them permssion to read the data itself. I would also like your views on the most effective way to structe data
store permisisoning across the company. e.g. We have a folder per department now and grant people priveliges when requested and approved
by department head, but this often becomes messy as we have numerous people with read access in some folders, write access in others, modify access to some files etc etc. How do other people approach these two issues? Thanks,
----------------------------------------- All the information contained in this electronic communication and any attachments is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are hereby notified that you should not disseminate, distribute or copy any portion of this electronic communication. If you have received this message in error, please notify the sender by replying to this email and immediately deleting any and all copies you may have inadvertently made.
Current thread:
- Securely allowing the helpdesk to change file permissions / data store structures Gary Collis (Sep 11)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures MaddHatter (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Bowers, Jeramy J (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures Ansgar -59cobalt- Wiechers (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Eggleston, Mark (Sep 12)