[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Security Policy:  MS servers (2003, 2008, 2012, ++) file transfer question.

Posted on 2016-09-29
3
Medium Priority
?
103 Views
Last Modified: 2016-10-10
Hi,
Thank you for any assistance you can provide.  

Q:  How can files be copied between MS servers with the below security requirements:
\\server111\c$\folder\file  -->  \\share$\folder\file   -->  \\server222\c$\folder\file

Main Goal: For MS servers (2003, 2008, 2012, ++), only Users with ADMIN permission Users are allowed on the c$ drive.  
IIS Developers are not given Admin permissions.  
Developers are given a specific GPO to allow only what is required for them to do their job with a higher then default User permissions, but lower then ADMIN permissions.  

With the following mostly related to, but not limited to, MS IIS web development process:  DEV   -->  Staging -->  Production  and the transfer of files between the 3 phases.  With DEV, Staging & Production environments having its own server instance.

My company has the following security requirements #1-5 below.

1.      No Local Shares (except for Users Home drives)
1.a.      This is for the purpose of preventing a Public server being mapped to a Private share.
2.  IIS Developers do not have Admin permissions
3.  RDP by Admin User not allowed
4.  share$ are accessed by Admin permission only
5.  No file transfer agent (FTP, SFTP, ect)
6.  Local Admin User is not allowed

Thanks, Scott
0
Comment
Question by:stepnharp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 25

Expert Comment

by:NVIT
ID: 41822888
> No Local Shares

Without creating a share, users can't see, and thus, copy files.
0
 
LVL 29

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 41823222
The security requirements are quite extreme and IMO overkill.

Typically "Public" accessible servers are placed on a DMZ subnet.  A network that exists between the Internet and your internal network.  In this scenario, the DMZ'ed servers should have no internal network access except over well defined and controlled ports.  If these were web servers, the access profile would be something like (not an exhaustive list):

From Internet to DMZ:
http (80/tcp) - allow anonymous  {web traffic}
https (443/tcp) - allow anonymous  {web traffic}
inbound smtp (25/tcp) - allow anonymous  {unknown inbound email traffic}
outbound smtp (25/tcp) - allow internal email server IPs  {your company outbound email traffic}

From Internet to internal network:
Deny All

From DMZ to internal:
Deny All
* this may need to be modified depending on your infrastructure, but it should be highly controlled

From internal network to DMZ:
http (80/tcp) - allow
https (443/tcp) - allow
ftp (20-21/tcp) - allow specific IPs
rdp (3389/tcp) - allow specific IPs
in & out smtp - allow to DMZ smtp relays

OK, I'm off my soap box, every company has their own reasons for security requirements.

Anyway, to your points"

1.  SysAdmins should work with a minimum of 2 accounts.

1) their regular day account. this account has no admin privileges!
2) their admin account.  this account is used for RDP or running process with a "Run as different user" functionality.  This account does not need an mailbox or user drives.
** this prevents your point 1a.
2. Developers do not need admin access to production servers.  This includes publish access to web applications.
3.  No RDP for Sysadmins is unbelievably restrictive.  I've never had this restriction in place in even the most secure of networks.  Management has to trust at least 1 sysadmin!
4. $ shares... access by only admins as expected
5. No file transfer agents... on the server side, ok.  But running an (S)FTP(S) Service on a server is a normal task.  No FTP traffic should be out of a server in a DMZ.
No file transfer protocols, means no file transfer.
BTW, http & https are essentially file transfer protocols!
6. "Local Admin User is not allowed"  is a bad policy.  If your domain connection is in some way disrupted and the local server will not recognize the cached domain credentials, you have no way of getting on to the machine until connectivity is restored.

To perform publishing of applications to web servers, with the above severe restrictions in place you could use 1 of the methods below.  Though they may stretch your company's secure policy.

1. Replication or synchronization software running as a service on a publisher device.  It would use the Admin share(s) to move files around.  Software packages use various file transfer methods.  OS copy, ftp, ftps, sftp, etc.  
2. Microsoft Web Deploy.  Only valid for IIS7+

Someway or another, you will have to enable a file transfer process with permission to Read, Write and Delete files on your servers.

Dan
0
 

Author Closing Comment

by:stepnharp
ID: 41837628
Dan,  Thanks for your input.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question