Trevor The central tenets of applying Sarbanes-Oxley to IT systems seem to be (in the light of clear guidance being rather lacking):
. Minimal, provable, repeatable, auditable. In other words, when applying permission, you stick to the least priveledge model, you document your settings, you log access, you log attempts to change or circumvent the permissions and you change control both alterations to the permission, and who receives it. These steps should get you through your audit. Obviously, each user must be personally accountable, so unless there is a clear business requirement (and hence a process required), each user must have a personal, non-shared account. I have found that the real trick of compliance is not to pass the audit in the first year, but to be able to pass the audit every year, without spending all your time on SOX compliance work and getting bogged down in paperwork. Lastly, full control anywhere is a bad idea, and there is very rarely a need for it outside of the administrators (and suprisingly rarely even then). Full control on share permissions will permit the users connecting to that share to alter permissions on the files they have created (IE own), up to and including denying themselves access. This sort of thing potentially complicates backups and as it requires the admin to take control of the file/folder to repair such actions, it also messes up any quota systems you have put in. I have personally never seen a case where share permissions of everyone:full control was a good idea, and I was very glad to see that Windows 2003 removed that as the default setting on new shares. Cheers James James D. Stallard, MIoD Microsoft and Networks Infrastructure Technical Architect (Freelance) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Trevor Seward Sent: 13 January 2007 16:34 To: [email protected] Subject: SoX & Share Permissions? Does anyone have any guidance as to what Sarbanes-Oxley would like one to use in the case of Share permissions (given NTFS permissions are properly applied)? Has anyone experienced auditors rejecting the idea of using Everyone: Full Control in a 2003 native mode domain for Share permissions? Thanks, Trevor
