Best practice ACLs to prepare for auditors?
Posted
by
Nic
on Server Fault
See other posts from Server Fault
or by Nic
Published on 2011-01-15T20:59:28Z
Indexed on
2011/01/15
21:55 UTC
Read the original article
Hit count: 139
An auditor will be visiting our office soon, and they will require read-only access to our data. I have already created a domain user account and placed them into a group called "Auditors".
We have a single fileserver (Windows Server 2008) with about ten shared folders. All of the shares are set up to allow full access to authenticated users, and access restrictions are implemented with NTFS ACL's. Most folders allow full access to the "Domain Users" group, but the auditor won't need to make any changes. It takes several hours to update NTFS ACL's since we have about one million files. Here are the options that I am currently considering.
- Create a "staff" group to assign read/write instead of "Domain Users" at the share level
- Create a "staff" group to assign read/write instead of "Domain Users" at the NTFS level
- Deny access to the "Auditors" group at the share level
- Deny access to the "Auditors" group at the NTFS level
- Accept the status quo and trust the auditor.
I will probably need to configure similar users in the future, as some of our contractors require a domain account but shouldn't be able to modify our client data. Is there a best practice for this?
© Server Fault or respective owner