Home
Monday, May 29, 2017
4:40:55 AM
Users online: 0   You are here >> Home > Security

Forums | Security Forums search
Forum FAQ
   
  1  
Server Maintenance and Crit Data
Penniless_Prophet 
4/8/08 11:47:45 AM
Guru

Hi Guys,
Question about how to tackle an issue, we have a server which has some very sensitive information which is maintained by the IT team. How can I segment the rights of the IT team so that they can do everything they need to in terms of backing stuff up etc and those who should have access to the data.

Cheers,
PP

-----
http://slaveofheaven.blogspot.com


I make magic happen on a regular basis, I am so good at it that people have started to think its normal...

bignath99 
4/8/08 12:09:43 PM
Master

What OS is the server running?
Do you simply not want the IT staff to be able to access said data?
Typically IT staff will need access rights to everything, for backing up etc.

-----
Q6600 @ stock , GA-P35-DS3R , 2GB XMS2 667 , 7600GT , 2x80GB Raid 0 , 200GB , 400GB , P182 ,
G11 keyboard , G5 mouse , 480watt true power , Z-5550 Digital ,2x BenQ 22"

Penniless_Prophet 
4/8/08 12:22:47 PM
Guru

Windows Server is what I am assuming but may be proven wrong I have requested this data. I mean if it falls down to I absoluely must maintain the server myself then I guess thats how the cookie crumbles. But I don't like having 1 lonely server sitting somewhere being maintained outside of policy.

Oh also if anyone was thinking of encryption I am fully up for it, I just need a solution that is Very user friendly to pull the files out of a 'vault' and put it back in.

-----
http://slaveofheaven.blogspot.com


I make magic happen on a regular basis, I am so good at it that people have started to think its normal...

bignath99 
4/8/08 12:42:07 PM
Master

If the data doesnt need to be apart of the normal backup proccess,
you can just resrict access to the folders/files. only allowing the
desired user groups access.
Thats about the simplist solutions i could devise, but im sure
someone will have somthing better.


Edited by bignath99: 4/8/2008 12:42:53 PM

-----
Q6600 @ stock , GA-P35-DS3R , 2GB XMS2 667 , 7600GT , 2x80GB Raid 0 , 200GB , 400GB , P182 ,
G11 keyboard , G5 mouse , 480watt true power , Z-5550 Digital ,2x BenQ 22"

Jeruselem 
5/8/08 11:06:34 AM
Champion

Apply permissions via groups. Normally Administrators have access to just about everything - you can change permissions so normal Admins can't see it, and restrict it to small group of Admins. Of course, the uber admins and backup accounts must have access in case you need to do something with it.

-----
PC 1: XP Home SP2, Opty 165@1.8Ghz, GEIL 1GB PC3200, 320GB SATA Cuda ES,XFX 9600GSO 580/700x2/1450, Seasonic S12+ 550W
PC 2: XP Home SP3, XP 3000+@2.24 Ghz, 1GB PC3200, 80GB IDE,ASUS nVidia 6800 512MB, Antec PlanetWatts 380W

elmo198 
5/8/08 10:58:03 PM
Champion

gpedit.msc will show you the way.

you really want to use scripts if ya want to be hardcore about permission rights. is far easier to maintain a server. that is something you will need to use your google-fu to find out, as each admin will have their own secrets.

-----
http://users.tpg.com.au/elmie/linux/
http://users.tpg.com.au/elmie/windows/

eckythump 
7/8/08 6:07:52 PM
Overlord

Generally, if you've got physical access to a machine, it's yours. If there's sensitive data on it that you don't want the maintenance guys to be able to see, then this could be difficult. Especially if it's perfectly reasonable for the machine to be rebooted. You can limit access rights as stated above, but if you want backups, then this doesn't really work.

It's also worth remembering that your data is only as safe as where it's backed up to, too.

So, the best you can probably do is limit user rights, and automate backups. I have several machines backing up to a central server which has a shitload of disk space and no special security in place, past the standard user authentication. I use a public key to encrypt the backup before it's sent over the network and saved onto the backup servers disk. If I need to recover, I need to dig out the private key that I store here at home, off-site, and also need the private key's passphrase. This is an approach you could look into if you want to backup the critical data.

But ultimately, what it comes down to is: If you don't trust the people, don't let them touch the machine.

-----
"Grandfather had an accident, he got burnt." "Oh no, how bad?" "Well, they don't fuck around at the crematorium."

c8h10n4o2! 
8/8/08 11:28:38 PM
Serf
Users of the backup operators group can bypass permissions for the sake of backing data up, it doesn't mean they can view or use the data. You could combine this with the auditing functionality built into windows to see what and who is accessing files.

In terms of enterprise encryption, a Credant Enterprise server is the only road I would recommend.

-----

  1  
Forums | Security