S 5.10 Restrictive granting of access rights

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Access rights to files stored on the hard disk of the network server must be granted restrictively. Every user must only be granted the access rights to files actually required to fulfil his or her tasks. The access right itself in turn should be restricted to the required type of access (see also S 2.5 Division of responsibilities and separation of functions, S 2.7 Granting of (system/network) access authorisations, and S 2.8 Granting of access rights). For example, it is only very rarely necessary to grant write permission to program files.

Mostly, access to files in subdirectories is possible by inheriting rights if there an access right to the superior directory was in place. This results in the fact that access rights should only be granted very restrictively on the highest level (volume level). When installing new software products, it is particularly necessary to re-check the granting of rights.

If all PCs are equipped with disk drives, particular importance must be attached to granting rights restrictively.

If the memory space of a network server is too small, a restriction of the maximum memory capacity a user may use on the network server may be configured.

Review questions:

• Are the rights on central servers granted restrictively?