Problem with SE 5.3 active quota & advanced reporting
Case scenario based on the customer environment:
18 servers with MS Windows Server 2003 EE (no SP1) clustered (MSCS and some EMC Geo-Clusters) environment where is implemented StorageExec 5.3 (SE) with Enterprise Administration Options and Advanced Reporting Options. All prerequisites for extending AD schema and configuring SE for a clustered environment were fulfilled. Installation passed under special account with domain admin rights. Services aka FileScreen Server and Quota Advisor Server runs account with domain admin rights. There are about 1400 users with home directories and special directories dedicated for each company Department with high amount of users.
Due to customer internal security policy only a user is owner of its HOME directory where has full control rights and any other account could not be set up for this folder. And here is stumbling-block. SE can't apply the active quota on the home directory only passive is used without appropriate right permission (LIST). Enhanced reporting from such affected directories doesn't work too (requires READ right). I know about some notice mentioned in administration guide regarding to rights on directories but customer security policy is set that way.
So, when I summarize it, in fact there are two technical problems:
A) Active quota requires LIST permission for account setting Quotas – what is a security Leak. This is not as bad as next problem with reporting, because LIST permission do not allow real access to sensitive data and is required only for Administrator setting this quota – and it should be trustworthy person… Real problem is with philosophy of Quota management. From our point of view Quota management software must be tool of restriction and it is not Veritas SE, if user can easily elude it removing permission prom ACL!
B) Worse situation in security point of view is with enhanced Reporting. For running ad-hock reports (wanted by all Department Managers) we have to grant them READ permission for all users and departments’ data, what cannot be done because of security policy. Fact is, that strong reporting capabilities were one of major arguments for choosing SE – but it is now unusable!
What we can't understand is why typical backup software from various vendor (such as Backup Exec) is able to list in console and backup objects without any ACL rights to them (calling specialized API for Backups using Privilege Backup and Restore files – funny is that it have to be granted for SE services too) and SE isn't able to use the same nature.
Next idea is, why quota solutions integrated in Windows 2003 (what we think is OEM “light version†of Veritas SE) works well without special LIST permissions on data, but Full and paid version have this limitation?
So our questions are:
· Why it is required to have LIST permission on all data for set and run Active quotas? Why it is not working like any other backup or quota management software?
· How can I forced active quoting to users data if they can easily disable it removing rights prom ACL?
· Why this nice reporting feature must have READ permission – no applicable in real secure environment?
· Is there any possibility how to fill our customer requirements via SE based on previously mentioned information?
· Or it is already functionality of SE and we are only not able to configure it well?
18 servers with MS Windows Server 2003 EE (no SP1) clustered (MSCS and some EMC Geo-Clusters) environment where is implemented StorageExec 5.3 (SE) with Enterprise Administration Options and Advanced Reporting Options. All prerequisites for extending AD schema and configuring SE for a clustered environment were fulfilled. Installation passed under special account with domain admin rights. Services aka FileScreen Server and Quota Advisor Server runs account with domain admin rights. There are about 1400 users with home directories and special directories dedicated for each company Department with high amount of users.
Due to customer internal security policy only a user is owner of its HOME directory where has full control rights and any other account could not be set up for this folder. And here is stumbling-block. SE can't apply the active quota on the home directory only passive is used without appropriate right permission (LIST). Enhanced reporting from such affected directories doesn't work too (requires READ right). I know about some notice mentioned in administration guide regarding to rights on directories but customer security policy is set that way.
So, when I summarize it, in fact there are two technical problems:
A) Active quota requires LIST permission for account setting Quotas – what is a security Leak. This is not as bad as next problem with reporting, because LIST permission do not allow real access to sensitive data and is required only for Administrator setting this quota – and it should be trustworthy person… Real problem is with philosophy of Quota management. From our point of view Quota management software must be tool of restriction and it is not Veritas SE, if user can easily elude it removing permission prom ACL!
B) Worse situation in security point of view is with enhanced Reporting. For running ad-hock reports (wanted by all Department Managers) we have to grant them READ permission for all users and departments’ data, what cannot be done because of security policy. Fact is, that strong reporting capabilities were one of major arguments for choosing SE – but it is now unusable!
What we can't understand is why typical backup software from various vendor (such as Backup Exec) is able to list in console and backup objects without any ACL rights to them (calling specialized API for Backups using Privilege Backup and Restore files – funny is that it have to be granted for SE services too) and SE isn't able to use the same nature.
Next idea is, why quota solutions integrated in Windows 2003 (what we think is OEM “light version†of Veritas SE) works well without special LIST permissions on data, but Full and paid version have this limitation?
So our questions are:
· Why it is required to have LIST permission on all data for set and run Active quotas? Why it is not working like any other backup or quota management software?
· How can I forced active quoting to users data if they can easily disable it removing rights prom ACL?
· Why this nice reporting feature must have READ permission – no applicable in real secure environment?
· Is there any possibility how to fill our customer requirements via SE based on previously mentioned information?
· Or it is already functionality of SE and we are only not able to configure it well?
