Security Basics mailing list archives
Re: Securely allowing the helpdesk to change file permissions / data store structures
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 12 Sep 2007 12:37:47 +0200
On 2007-09-10 Gary Collis wrote:
We have a helpdesk that will soon be moving away from having domain admin priveliges. At the minute NTFS file permission change requests go through the helpdesk and the helpdesk execute accordingly. However as they will be losing their domain admin priv's I would like to allow them to continue doing this wihout giving them permssion to read the data itself.
Not doable. If they have the privilege to change permissions they can simply grant themselves read (or any other) permissions. It's pretty pointless to demote people from being admins while they still have the ability to change permissions. I'm not sure about what exactly you're trying to achieve, but you could create a domain group "Helpdesk" and add that group to the local "Administrators" group on all workstations. That way your helpdesk will be able to do administrative tasks on the workstations, but not on the domain controller. If they need to be able to do anything on the DC (e.g. modify permissions on shares) you can grant that domain group permissions to the respective folders only.
I would also like your views on the most effective way to structe data store permisisoning across the company. e.g. We have a folder per department now and grant people priveliges when requested and approved by department head, but this often becomes messy as we have numerous people with read access in some folders, write access in others, modify access to some files etc etc.
Don't make permissions too granular, or they'll give you hell. Why do you need to grant permissions individually in the first place? Best practice (AFAIK) is to create a group for each department, add all members of the department to that group, and grant permissions to the group instead of individual users. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Securely allowing the helpdesk to change file permissions / data store structures Gary Collis (Sep 11)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures MaddHatter (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Bowers, Jeramy J (Sep 12)
- Re: Securely allowing the helpdesk to change file permissions / data store structures Ansgar -59cobalt- Wiechers (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Eggleston, Mark (Sep 12)