Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SoX & Share Permissions?

from [James D. Stallard] Network Security [Permanent Link]
Subject: RE: SoX & Share Permissions?
Date: Mon, 22 Jan 2007 17:02:10 -0000 
Trevor

The central tenets of applying Sarbanes-Oxley to IT systems seem to be (in
the light of clear guidance being rather lacking):

. Minimal, provable, repeatable, auditable.

In other words, when applying permission, you stick to the least priveledge
model, you document your settings, you log access, you log attempts to
change or circumvent the permissions and you change control both alterations
to the permission, and who receives it. These steps should get you through
your audit.

Obviously, each user must be personally accountable, so unless there is a
clear business requirement (and hence a process required), each user must
have a personal, non-shared account.

I have found that the real trick of compliance is not to pass the audit in
the first year, but to be able to pass the audit every year, without
spending all your time on SOX compliance work and getting bogged down in
paperwork.

Lastly, full control anywhere is a bad idea, and there is very rarely a need
for it outside of the administrators (and suprisingly rarely even then).
Full control on share permissions will permit the users connecting to that
share to alter permissions on the files they have created (IE own), up to
and including denying themselves access. This sort of thing potentially
complicates backups and as it requires the admin to take control of the
file/folder to repair such actions, it also messes up any quota systems you
have put in. I have personally never seen a case where share permissions of
everyone:full control was a good idea, and I was very glad to see that
Windows 2003 removed that as the default setting on new shares.

Cheers

James



James D. Stallard, MIoD
Microsoft and Networks Infrastructure Technical Architect (Freelance)





-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Trevor Seward
Sent: 13 January 2007 16:34
To: focus-ms@securityfocus.com
Subject: SoX & Share Permissions?

Does anyone have any guidance as to what Sarbanes-Oxley would like one to
use in the case of Share permissions (given NTFS permissions are properly
applied)?

Has anyone experienced auditors rejecting the idea of using Everyone: Full
Control in a 2003 native mode domain for Share permissions?

Thanks,
Trevor
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SoX & Share Permissions?, Trevor Seward
Next by Date:  IPSec and GRE (47), Thomas D.
Previous by Thread:  SoX & Share Permissions?, Trevor Seward
Next by Thread:  IPSec and GRE (47), Thomas D.
Indexes:  [Date] [Thread] [Top] [All Lists]