One thing I've learned about myself over the years is that I'm a much better Sys Admin than a profiler. Abandoning least privilege security principles because, I've got a good feeling about the trustworthiness of the people around me seems like a bad idea to me. This is how you end up with umpteen people in the Administrators group and too many cooks in the kitchen. More dangerous then the shady tech is the "helpful" one that thinks he can fix a problem for you. Usually making it worse. "it's not so much what we don't know that hurts us; it's what we do know that ain't so!" - Mark Twain
> -----Original Message----- > From: lists [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 05, 2006 5:41 PM > To: [EMAIL PROTECTED]; [email protected] > Subject: RE: Share Permissions > > Hi Monrad, > > Just my 2p worth, but, coming from a UK security cleared (DV) > background, my recommendation would be to vet your staff > rather than restricting their access. Access permissions are > great, and they do add 30 seconds or so on to any social > engineering attack success. Your best bet is to vet your > employees, make sure they are kosher, and change their > passwords when they leave.... > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 05 September 2006 15:39 > To: [email protected] > Subject: Share Permissions > > We have several W2K3 file & print servers maintained by our > server team. > > I am trying to follow least privileges principles and set up > permissions for our account operators to have the minimum > required rights on these servers to do their jobs. > > Done: > > 1. Create personal folders - No problem, NTFS rights on a > folder for user drives solves this. > > 2. Set permissions on personal folders - No problem - Full > rights for techs so they can set permissions. > > Problem: > > Create shares - As far as I can tell, only power users and > administrators have the rights to create shares. > I don't want the account operators to have the additional > rights that come with the power user group. > > Bonus Problem: > > We have numerous drives holding different shares based on > department and function. Giving the account operators rights > to traverse through the root share on all non -system shares > would ease their job. The ability to create a share using > MMC and navigate through the root to the user share is just > one example of this. I have not been able to find a way to > effectively change the permissions on the root share (i.e. > F$) without disabling all admin shares and creating more > problems after a reboot or server service restart. > > Any help would be appreciated. > > Drew > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.405 / Virus Database: 268.11.7/437 - Release > Date: 04/09/2006 > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
