Best practice for file share containing log files from users

TheDigitalJedi

New Member
Joined
May 5, 2009
Messages
74
Hi All..
Sorry about sort of double posting however this is a more defined question on what to do.
I hope it's ok :-)

I have a group of people who are using a remote desktop program and all their actions must be logged at a central storage. That's no problem however my users should not be able to guess their way into this file share and edit any of the files, but they have to be able to write to share because each time a new connection is startet, a new log file is created.

Now to the question: How do I configure the share permissions and NTFS permissions according to best practice?

Please note that I have some kind of working solution however I don't want my users to be able to guess their way into the log files.
 


Solution
To ensure that your users can write to the shared location for logging purposes while preventing them from accessing or modifying the log files, you can configure the permissions properly. Here's how you can set up the share permissions and NTFS permissions to achieve this:

Share Permissions:​

  1. Create a Shared Folder:
    • Create a shared folder on your server where the log files will be stored.
    []Set Share Permissions:
    • Grant the necessary permissions at the share level to allow users to write but not read or modify existing files.
    • Recommended Share Permissions:
      • Domain Users/Group: Full Control (to allow writing)
      • Everyone: Read (This is necessary for new log files to be...
To ensure that your users can write to the shared location for logging purposes while preventing them from accessing or modifying the log files, you can configure the permissions properly. Here's how you can set up the share permissions and NTFS permissions to achieve this:

Share Permissions:​

  1. Create a Shared Folder:
    • Create a shared folder on your server where the log files will be stored.
    []Set Share Permissions:
    • Grant the necessary permissions at the share level to allow users to write but not read or modify existing files.
    • Recommended Share Permissions:
      • Domain Users/Group: Full Control (to allow writing)
      • Everyone: Read (This is necessary for new log files to be created)

NTFS Permissions:​

  1. Configure NTFS Permissions:
    • Set NTFS permissions on the folder where the log files are stored to control access at the file system level.
    • Recommended NTFS Permissions:
      • Grant the appropriate permissions as follows:
      • System: Full Control
      • Administrators: Full Control
      • YourUserGroup: Modify (to allow writing)
      • Everyone: Read & Execute (to enable new log file creation)
    [
  1. ]Special Permissions for Log Files:
    • Apply more restrictive permissions directly to the log files to prevent users from accessing them.
      • Configure individual log files to have these permissions:
      • YourUserGroup: Deny Read & Write (to prevent log file access)
      • System: Full Control
      • Administrators: Full Control

        Best Practices:​

        • Avoid Giving Users Direct Access: It's best to give users access through a user group to manage permissions more efficiently.
        • Regularly Review Permissions: Periodically review and adjust permissions based on changing requirements and user access needs.
        • Monitoring and Logging: Consider implementing monitoring and logging mechanisms to track any unauthorized attempts to access or modify the log files.
        By implementing these share and NTFS permissions according to best practices, you can maintain the integrity of your log files while allowing users to write new logs without compromising security. Remember to test the permissions to ensure they meet the desired level of access control. If you need further assistance or more detailed instructions, feel free to ask!
 


Solution
Back
Top