Security Basics mailing list archives

Re: Securely allowing the helpdesk to change file permissions / data store structures

From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Wed, 12 Sep 2007 12:37:47 +0200

On 2007-09-10 Gary Collis wrote:

We have a helpdesk that will soon be moving away from having domain 
admin priveliges. At the minute NTFS file permission change requests 
go through the helpdesk and the helpdesk execute accordingly. However 
as they will be losing their domain admin priv's I would like to allow 
them to continue doing this wihout giving them permssion to read the 
data itself.


Not doable. If they have the privilege to change permissions they can
simply grant themselves read (or any other) permissions. It's pretty
pointless to demote people from being admins while they still have the
ability to change permissions.

I'm not sure about what exactly you're trying to achieve, but you could
create a domain group "Helpdesk" and add that group to the local
"Administrators" group on all workstations. That way your helpdesk will
be able to do administrative tasks on the workstations, but not on the
domain controller. If they need to be able to do anything on the DC
(e.g. modify permissions on shares) you can grant that domain group
permissions to the respective folders only.

I would also like your views on the most effective way to structe data 
store permisisoning across the company. e.g. We have a folder per 
department now and grant people priveliges when requested and approved 
by department head, but this often becomes messy as we have numerous 
people with read access in some folders, write access in others, 
modify access to some files etc etc.


Don't make permissions too granular, or they'll give you hell. Why do
you need to grant permissions individually in the first place? Best
practice (AFAIK) is to create a group for each department, add all
members of the department to that group, and grant permissions to the
group instead of individual users.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Current thread:

Securely allowing the helpdesk to change file permissions / data store structures Gary Collis (Sep 11)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 12)
  - RE: Securely allowing the helpdesk to change file permissions / data store structures Monrad.DC (Sep 12)
    - RE: Securely allowing the helpdesk to change file permissions / data store structures Crawley, Jim (Sep 13)
- Re: Securely allowing the helpdesk to change file permissions / data store structures MaddHatter (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Bowers, Jeramy J (Sep 12)
  - Re: Securely allowing the helpdesk to change file permissions / data store structures gjgowey (Sep 13)
- Re: Securely allowing the helpdesk to change file permissions / data store structures Ansgar -59cobalt- Wiechers (Sep 12)
- RE: Securely allowing the helpdesk to change file permissions / data store structures Eggleston, Mark (Sep 12)