RE: File and email Security
From: Matthew.van.Eerde@hbinc.comDate: 08/10/01
- Previous message: Bartel, Matt: "RE: File and email Security"
- Maybe in reply to: Todd Schubert: "File and email Security"
- Next in thread: brian@zerobelow.org: "Re: FW: File and email Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <A9F857A45F1DD511AB010002B321B5055E08A7@dns1.hbinc.com> From: Matthew.van.Eerde@hbinc.com To: focus-ms@securityfocus.com Subject: RE: File and email Security Date: Fri, 10 Aug 2001 11:07:04 -0700
Perhaps solving the problem in a simpler case will help.
Suppose it's only one file. Suppose further that it is an Excel file.
Have the CEO do a Save As... and put a password that only he knows on the
file. Have him write the password down on a piece of paper and seal it in
an envelope. Have him write on the outside of the envelope, "Password for
secure Excel file for XYZ company." Do this twice, so you have two
envelopes.
Go to the Controller and tell them to get safety deposit boxes at two banks
at opposite ends of town in the company's name. Instruct the bank that only
the CEO is to have access to them.
Have the CEO drive to both banks and put one envelope in each bank's box.
This way only the CEO will be able to access this file. If he gets hit by a
bus, the new CEO will be able to go to the bank and get access to the
password.
If he's in a bank and it gets blown up with him inside, the new CEO can go
to the other bank.
-----Original Message-----
From: Paul Smith [mailto:paul@pscs.co.uk]
Sent: Wednesday, August 08, 2001 12:43
To: Todd Schubert; focus-ms@securityfocus.com
Subject: Re: File and email Security
>I have an interesting problem that I am hoping someone out there can help
me
>with. Basically what it boils down to is that we need to store files on
our
>server and emails on our exchange server that only the CEO can access and
>that the network admins can't access without the CEO knowing. Permissions
>don't seem to be a solution because they can be changed by the admins and
>the logs can then be falsified to hide the changes. Has anyone encoutered
>something similiar to this or have any ideas on how to get around this??
You don't say what OS your file server is using... If you're using Windows
NT/2000 then the following applies:
I may be wrong here (but I don't think so) - if the CEO seizes 'ownership'
of the files and sets the permissions so that ONLY he can access them, the
only way an admin can access them is to seize ownership themselves, change
the permissions, access the files and change the permissions back again.
The admin can NOT (as far as I know) set the ownership back to a different
person (you can only 'take ownership' you can't 'give ownership'), so the
CEO will be able to tell that a particular admin has potentially looked at
the files.
This does not stop the admin accessing the files, but it does mean he's in
trouble afterwards... The only way to stop the admin accessing the files is
to keep the files off the server...
(If you think about it, an administrator SHOULD be able to access the files
somehow - what happens if the CEO gets run over by a bus and the files
contain critical information, the replacement CEO needs to have access to
them so an administrator needs to be able to transfer them to the new CEO)
Paul VPOP3 - Internet Email Server/Gateway
paul@pscs.co.uk http://www.pscs.co.uk/
- Previous message: Bartel, Matt: "RE: File and email Security"
- Maybe in reply to: Todd Schubert: "File and email Security"
- Next in thread: brian@zerobelow.org: "Re: FW: File and email Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
