Adding on.
Google and read up on the following security principles (they are just short paragraphs):
"Principle of least privilege", "Needs to Know", "Separation of Duties", "Privileges and Rights", Discretionary Access Control / Ownership.
As administrator you need to control all system and software components - users need read access - except where software requires more.
Administrator has full control of everything anyway.
For Backup purposes, Backup Operators need read access to all folders/data.
Users:
You need to break it down to the structure of your organization and go from there.
Users own their data so they should have control, however give permission where it won't harm - educate them, especially if you have a folder that everyone can read, so that they don't put anything there that they don't want others to know....
To answer your question about \share - apply the above principles
\share (should be read only - you don't want anyone to delete \Share, folder traversal should be carefully considered if at all)
\Accounting (use group to facilitate policy - separation of duties, protect this root, don't want \Accounting to be deleted)
\Apps (consider separation - this is not data therefor user should not be owning this folder in any shape or form)
\Projects (project managers - consider ProjectName under this - separation of duties, need to know)
\VideoProduction
Users own their files.......
Hope this gives you ideas....... Key thing is you don't want users to be able to delete folders and child folders - wiping out the entire structure that includes data belonging to another group of users, and you don't want information leakage outside of groups and owners.
Plan, plan, plan....
Main Topics
Browse All Topics
by: richrumblePosted on 2005-10-06 at 12:28:47ID: 15033568
This takes a bit of planing, but only authorized person's should have access to certain files/folders/shares
The Accounting folk's should be the only ones authorized to access the accounting data, its their job, so if someone needs accounting info, they should get it from an authority- such as the accounting group.
IT admin's access is something for discussion. And IT Admin can reset a users password and access the folders that way, or you can flat out give them access to these folders. In either case, you need to turn the event logging up on servers that hold critical data. The default logging on M$ machines is not adequate. Get an application that will allow you to sort and parse through event log's quickly such as GFI's SELM or Snare from http://www.intersectallian
If there are non-critical data shares, make them readable to all, but only writable if there are things such as documents that need to be opened, or it's a person's homedirectory. No user should have access to anothers home dir, typically. If they need to share data, they can copy it to a community share.
NTFS permissions afford you the most latitude and grainularity for access control. Typically I set up a share with "everyone" full control on the share, no other accounts, then use the NTFS permissions to lock the files/folders down. Share and NTFS permissions will assign the access of the least privlege. So even though I have FC on the share, any settings on the NTFS permissions will start to hinder that FC. So if I select "deny delete" rights, then the user can't delete that file/folder.
Second level and child's typically, by default, inhierit the permissions of the parent folder. If you uncheck the "inheirit" permissions, your asked if you would like to copy, or clear the current settings. I typically select copy, and then add/remove groups/accounts and modify thier access. You should be able to setup folders for each group to use, and if requested, setup a special folder for a CEO or whoever to only have access to.
Also get a good AUP in place: http://www.sans.org/resour
-rich
-rich