Security Basics mailing list archives
RE: Securely allowing the helpdesk to change file permissions / data store structures
From: "Bowers, Jeramy J" <jebowers () iupui edu>
Date: Wed, 12 Sep 2007 13:08:51 -0400
This would be a good time to examine the file/permissions structure, and overhaul if necessary. Methods that don't work are where there are individual userids are assigned to a folder, and there is no papertrail to determine when a user was given access. Leads to a lot of empty SIDs on a folder, and users with permissions that stick when they move from one position to another within a company. One good method is to assign permissions for every folder based upon group membership. And all changes to group membership are handled by the helpdesk. Server admins create the groups and assigned them to folders. Based on existing permissions, that could be departments, labs, and projects, or some other completely different paradigm. Another good method is to create a group for each position within the company. Then, assign the position (group) to the folders it needs to access. Again, adding and removing the group from folders would need to be well documented. Also, there would be one group for each employee. I'm not sure if that would be more or less groups than you already have. Oh, and document everything. Did I mention you should have good policies and procedures in place, educate the IT staff, and then enforce them? Jay Bowers Security Analyst Indianapolis, IN -----Original Message----- From: Gary Collis [mailto:onesl1fox () 27 eclipse co uk] Sent: Monday, September 10, 2007 2:51 PM To: security-basics () securityfocus com Subject: Securely allowing the helpdesk to change file permissions / data store structures Hi,
We have a helpdesk that will soon be moving away from having domain admin priveliges. At the minute NTFS file permission change requests go through the helpdesk and the helpdesk execute accordingly. However as they will be losing their domain admin priv's I would like to allow
them to continue doing this wihout giving them permssion to read the data itself. I would also like your views on the most effective way to structe data
store permisisoning across the company. e.g. We have a folder per department now and grant people priveliges when requested and approved
by department head, but this often becomes messy as we have numerous people with read access in some folders, write access in others, modify access to some files etc etc. How do other people approach these two issues? Thanks,
Current thread:
- Securely allowing the helpdesk to change file permissions / data store structures Gary Collis (Sep 11)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures MaddHatter (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Bowers, Jeramy J (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures Ansgar -59cobalt- Wiechers (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Eggleston, Mark (Sep 12)