Network sharing

Ev0 · 26 Sep 2011 at 14:58

groen said:
I spoke to the previous IT guy today and he said that he disabled file sharing on purpose for security. Which is ok. I won't have to change that, ill just change the permissions with a login script as advised by ev0.

It is just me with 40 users, i hope i am not out of my depth

Seems a bit odd it's just the one person with the secure setup, but if the company is only 40 users then that makes it a bit more understandable

Guessing it's a financial of some description then?

And you want a startup script, not login script (startup runs under machine/system perms, logon runs under user perms)

What I will say is if it is now just you there make sure any changes with regards to security are documented, reasoned and approved by someone higher up the chain in the business.

The security will have been setup like that for a reason and you don't want to go changing it for the worse

anything I don't mind · 26 Sep 2011 at 15:38

I do have more technical people within the company that i work for to fall back on, but this is the sort of thing that they won't be able to help me with. I work for managed services company, so there is a lot of engineers and more senior people. But my boss is not very good security wise.

OK so ill setup a start script through group policy that will change the permissions. thanks again.

edscdk · 26 Sep 2011 at 15:52

what are the files doing on the workstations?

how secure do you want to be?

sounds like a mess

Put the files on the server

if its real secrect data, encrypt workstations and server disks.

lock workstations down so the usb / cd's dont work.

edscdk · 26 Sep 2011 at 15:59

groen said:
Question: To make it easier and less disruptive i wanted to enable file and print sharing on the clients so that i could change permissions on folders remotely without having to physically go on to every machine.

.

If I wanted your data I would simply boot from a linux live type CD and copy it, file permissions on a workstation may as well not be there .

setting file permissions on the workstations does not protect the data against anyone who wants to access it, unless the drive is also encrypted!

(or did you say they were encrypted already?) - anyway as I asaid before put the files on the server.

remember I can also boot your server from cd so data needs to be enctrpted, or at the very least the server needs to be physically protected some how...

anything I don't mind · 26 Sep 2011 at 16:00

It is a bit of a mess but I just started there last week. So i have to learn the network and everything and fix problems. The new windows 7 machines that are half rolled out, the users can not even change passwords. It comes up with complexity requirements are not met but the group policy does not specify for complexity requirements. The group policy and AD are very unorganized and the windows 7 machines were just cloned with no new sid or sysprep

.

The reason i want to change permissions is because i want to update the office templates and the guy who made the image did not give domain users write access to the folder. I guess another way would have been to point the templates to a server location. But i think it is best to have templates on the local machine due to the way word works.

edscdk · 26 Sep 2011 at 16:00

dont forget about what to do with your backup tapes / media...

technically it should be encrypted, but i'd never be brave enough to set that option... I'd go with physical security on the backup media...

anything I don't mind · 26 Sep 2011 at 16:05

Sorry i can't discuss any more as i would have to kill you... just joking

Deleted member 77746 · 26 Sep 2011 at 16:15

groen said:
Sorry i can't discuss any more as i would have to kill you... just joking

Maybe you should liaise with your seniors?

anything I don't mind · 26 Sep 2011 at 18:20

The backup procedure is already in place and there are no problems with security. I have just never come across this sort of network. So i was unsure on best practice.

They did not want to use full disk encryption. I will definitely try and bring that up again if i have to rebuild the windows 7 image due to the none sysprep image causing problems with password changing. But the first time i mentioned it to the office manager he did not think it was required and would cause a hassle. They have a bios boot password and have policy on shutting down the pcs and the building is pretty secure.

derfderfley · 26 Sep 2011 at 18:55

groen said:
It is a bit of a mess but I just started there last week. So i have to learn the network and everything and fix problems. The new windows 7 machines that are half rolled out, the users can not even change passwords. It comes up with complexity requirements are not met but the group policy does not specify for complexity requirements. The group policy and AD are very unorganized and the windows 7 machines were just cloned with no new sid or sysprep .

The reason i want to change permissions is because i want to update the office templates and the guy who made the image did not give domain users write access to the folder. I guess another way would have been to point the templates to a server location. But i think it is best to have templates on the local machine due to the way word works.

Looking at what you've just written, your best course of action would be to build a new image and re-deploy to the fubar'd desktops. That way you can have a 'good' image to roll out to the rest of the machines.

Also if this is a 'secure' environment there should be a document stating what is and is not permissible on the network and why. Use this document to build the new image. If the document does not exist, time to start the writing and document approvals process.
That way when you move on, the next guy won't be flying blind as you are at the moment.

Deleted member 77746 · 27 Sep 2011 at 09:01

derfderfley said:
Looking at what you've just written, your best course of action would be to build a new image and re-deploy to the fubar'd desktops. That way you can have a 'good' image to roll out to the rest of the machines.

Also if this is a 'secure' environment there should be a document stating what is and is not permissible on the network and why. Use this document to build the new image. If the document does not exist, time to start the writing and document approvals process.
That way when you move on, the next guy won't be flying blind as you are at the moment.

This is what I would do.

anything I don't mind · 27 Sep 2011 at 09:15

I tried adding the template update script to the group policy start up scripts but it still did not work with normal domain users.

Running the script as administrator works ok. I am going to have to change the permissions on the folder it seems.

Deleted member 77746 · 27 Sep 2011 at 18:02

groen said:
I tried adding the template update script to the group policy start up scripts but it still did not work with normal domain users.

Running the script as administrator works ok. I am going to have to change the permissions on the folder it seems.

By the time you sat waiting for an answer you could have been around the systems by now.

anything I don't mind · 28 Sep 2011 at 10:24

I have tried to use group policy startup scripts to change permissions but that does not work, comes up with access denied.

I thought that group policy start up scripts were meant to be running from elevated user context?

It seems like the start up scripts are running from the user context.

anything I don't mind · 28 Sep 2011 at 12:21

Never mind i found the group policy to change permissions on a folder. sorted.

Deleted member 77746 · 3 Oct 2011 at 21:24

groen said:
Never mind i found the group policy to change permissions on a folder. sorted.

22nd Sep 2011, 11:41 - 28th Sep 2011 12:21

If it took you this long to sort out permissions I would have sacked you by now