RE: Securely allowing the helpdesk to change file permissions / data store structures

["Eggleston, Mark" <meggleston () HEALTHPART COM>]

We encountered this same issue a few years back.  You can delegate
rights to helpdesk to administer global groups to help with NTFS
permissions (and also monitor security event logs for who made changes
in global groups - event ID #641 I believe).

We structured our user data across four "drives" as follows, which each
have the same structure modeled after our org chart:

M:\ My department (These files are only accessible by each department;
no one outside of each department can see the files stored here).

O:\ Open (These files can only be posted by the department; everyone
else at the company can only read.)

S:\ Shared/Secure (A secure area for each department & another
department to share files, it is not visible by others unless the user
previously requested specific permissions for others. This is the only
area you we modify permissions!)

R:\Reports (A read only area where produced data reports are housed for
customer access. This location is for temporary storage of data and is
routinely purged.)

Hope this helps,

Mark

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Gary Collis
Sent: Monday, September 10, 2007 2:51 PM
To: security-basics () securityfocus com
Subject: Securely allowing the helpdesk to change file permissions /
data store structures

Hi,
> We have a helpdesk that will soon be moving away from having domain 
> admin priveliges. At the minute NTFS file permission change requests 
> go through the helpdesk and the helpdesk execute accordingly. However 
> as they will be losing their domain admin priv's I would like to allow

> them to continue doing this wihout giving them permssion to read the 
> data itself.
>
> I would also like your views on the most effective way to structe data

> store permisisoning across the company. e.g. We have a folder per 
> department now and grant people priveliges when requested and approved

> by department head, but this often becomes messy as we have numerous 
> people with read access in some folders, write access in others, 
> modify access to some files etc etc.
>
>  How do other people approach these two issues?
>
> Thanks,
>
>  


-----------------------------------------
All the information contained in this electronic communication and
any attachments is intended only for the use of the individual or
entity to which it is addressed. If you are not the intended
recipient, you are hereby notified that you should not disseminate,
distribute or copy any portion of this electronic communication. If
you have received this message in error, please notify the sender
by replying to this email and immediately deleting any and all
copies you may have inadvertently made.