Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Share Permissions

from [lists] Network Security [Permanent Link]
Subject: RE: Share Permissions
Date: Tue, 5 Sep 2006 22:40:57 +0100 
Hi Monrad,

Just my 2p worth, but, coming from a UK security cleared (DV) background, my
recommendation would be to vet your staff rather than restricting their
access.  Access permissions are great, and they do add 30 seconds or so on
to any social engineering attack success.  Your best bet is to vet your
employees, make sure they are kosher, and change their passwords when they
leave.... 

-----Original Message-----
From: Monrad.DC@forces.gc.ca [mailto:Monrad.DC@forces.gc.ca] 
Sent: 05 September 2006 15:39
To: focus-ms@securityfocus.com
Subject: Share Permissions

We have several W2K3 file & print servers maintained by our server team.

I am trying to follow least privileges principles and set up permissions for
our account operators to have the minimum required rights on these servers
to do their jobs.

Done:

1.  Create personal folders - No problem, NTFS rights on a folder for user
drives solves this.

2.  Set permissions on personal folders - No problem - Full rights for techs
so they can set permissions.

Problem:

  Create shares - As far as I can tell, only power users and administrators
have the rights to create shares.  
  I don't want the account operators to have the additional rights that come
with the power user group.

Bonus Problem:

  We have numerous drives holding different shares based on department and
function.  Giving the account operators rights to traverse through the root
share on all non -system shares would ease their job.  The ability to create
a share using MMC and navigate through the root to the user share is just
one example of this.  I have not been able to find a way to effectively
change the permissions on the root share (i.e. F$) without disabling all
admin shares and creating more problems after a reboot or server service
restart.

Any help would be appreciated.

Drew

---------------------------------------------------------------------------
---------------------------------------------------------------------------




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.11.7/437 - Release Date: 04/09/2006




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: FW: MST transforms templates from sec persepctive?, Eoin Miller
Next by Date:  Re: Disabling syskey on XP pro, Denis Jedig
Previous by Thread:  Share Permissions, Monrad.DC
Next by Thread:  RE: Share Permissions, Aleksandr Sevostjanov
Indexes:  [Date] [Thread] [Top] [All Lists]