Solved

Security Policy:  MS servers (2003, 2008, 2012, ++) file transfer question.

Posted on 2016-09-29
3
80 Views
Last Modified: 2016-10-10
Hi,
Thank you for any assistance you can provide.  

Q:  How can files be copied between MS servers with the below security requirements:
\\server111\c$\folder\file  -->  \\share$\folder\file   -->  \\server222\c$\folder\file

Main Goal: For MS servers (2003, 2008, 2012, ++), only Users with ADMIN permission Users are allowed on the c$ drive.  
IIS Developers are not given Admin permissions.  
Developers are given a specific GPO to allow only what is required for them to do their job with a higher then default User permissions, but lower then ADMIN permissions.  

With the following mostly related to, but not limited to, MS IIS web development process:  DEV   -->  Staging -->  Production  and the transfer of files between the 3 phases.  With DEV, Staging & Production environments having its own server instance.

My company has the following security requirements #1-5 below.

1.      No Local Shares (except for Users Home drives)
1.a.      This is for the purpose of preventing a Public server being mapped to a Private share.
2.  IIS Developers do not have Admin permissions
3.  RDP by Admin User not allowed
4.  share$ are accessed by Admin permission only
5.  No file transfer agent (FTP, SFTP, ect)
6.  Local Admin User is not allowed

Thanks, Scott
0
Comment
Question by:stepnharp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 24

Expert Comment

by:NVIT
ID: 41822888
> No Local Shares

Without creating a share, users can't see, and thus, copy files.
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41823222
The security requirements are quite extreme and IMO overkill.

Typically "Public" accessible servers are placed on a DMZ subnet.  A network that exists between the Internet and your internal network.  In this scenario, the DMZ'ed servers should have no internal network access except over well defined and controlled ports.  If these were web servers, the access profile would be something like (not an exhaustive list):

From Internet to DMZ:
http (80/tcp) - allow anonymous  {web traffic}
https (443/tcp) - allow anonymous  {web traffic}
inbound smtp (25/tcp) - allow anonymous  {unknown inbound email traffic}
outbound smtp (25/tcp) - allow internal email server IPs  {your company outbound email traffic}

From Internet to internal network:
Deny All

From DMZ to internal:
Deny All
* this may need to be modified depending on your infrastructure, but it should be highly controlled

From internal network to DMZ:
http (80/tcp) - allow
https (443/tcp) - allow
ftp (20-21/tcp) - allow specific IPs
rdp (3389/tcp) - allow specific IPs
in & out smtp - allow to DMZ smtp relays

OK, I'm off my soap box, every company has their own reasons for security requirements.

Anyway, to your points"

1.  SysAdmins should work with a minimum of 2 accounts.

1) their regular day account. this account has no admin privileges!
2) their admin account.  this account is used for RDP or running process with a "Run as different user" functionality.  This account does not need an mailbox or user drives.
** this prevents your point 1a.
2. Developers do not need admin access to production servers.  This includes publish access to web applications.
3.  No RDP for Sysadmins is unbelievably restrictive.  I've never had this restriction in place in even the most secure of networks.  Management has to trust at least 1 sysadmin!
4. $ shares... access by only admins as expected
5. No file transfer agents... on the server side, ok.  But running an (S)FTP(S) Service on a server is a normal task.  No FTP traffic should be out of a server in a DMZ.
No file transfer protocols, means no file transfer.
BTW, http & https are essentially file transfer protocols!
6. "Local Admin User is not allowed"  is a bad policy.  If your domain connection is in some way disrupted and the local server will not recognize the cached domain credentials, you have no way of getting on to the machine until connectivity is restored.

To perform publishing of applications to web servers, with the above severe restrictions in place you could use 1 of the methods below.  Though they may stretch your company's secure policy.

1. Replication or synchronization software running as a service on a publisher device.  It would use the Admin share(s) to move files around.  Software packages use various file transfer methods.  OS copy, ftp, ftps, sftp, etc.  
2. Microsoft Web Deploy.  Only valid for IIS7+

Someway or another, you will have to enable a file transfer process with permission to Read, Write and Delete files on your servers.

Dan
0
 

Author Closing Comment

by:stepnharp
ID: 41837628
Dan,  Thanks for your input.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question