RE: File and email Security

From: Bartel, Matt (Matt.Bartel@qg.com)
Date: 08/10/01


Message-ID: <FDFB62A695DDD411ACD7000102CCA030D2DC4A@sxexch1.qgraph.com>
From: "Bartel, Matt" <Matt.Bartel@qg.com>
To: 'Paul Smith' <paul@pscs.co.uk>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
Subject: RE: File and email Security
Date: Fri, 10 Aug 2001 14:10:31 -0500


I'm not so sure I'd rely on this method of "catching" the offending
admin...after all, they can just reset someone's password, login with their
account, take ownership of the needed files, view the files and logoff.
Then, the CEO would login, see that this user had taken ownership and a
confrontation would ensue that would lead to the innocent user telling the
CEO that he was locked out of his account (if he were a smart user), so he
had to call the helpdesk to have it changed; or, more likely (since the CEO
is this paranoid about only *him* being able to see his files) the CEO would
probably not believe the user. In either case, the admin gets away with it.

Just so you didn't implement this policy without seeing this possible
caveat...
-Matt

-----Original Message-----
From: Paul Smith [mailto:paul@pscs.co.uk]
Sent: Wednesday, August 08, 2001 2:43 PM
To: Todd Schubert; focus-ms@securityfocus.com
Subject: Re: File and email Security

>I have an interesting problem that I am hoping someone out there can help
me
>with. Basically what it boils down to is that we need to store files on
our
>server and emails on our exchange server that only the CEO can access and
>that the network admins can't access without the CEO knowing. Permissions
>don't seem to be a solution because they can be changed by the admins and
>the logs can then be falsified to hide the changes. Has anyone encoutered
>something similiar to this or have any ideas on how to get around this??

You don't say what OS your file server is using... If you're using Windows
NT/2000 then the following applies:

I may be wrong here (but I don't think so) - if the CEO seizes 'ownership'
of the files and sets the permissions so that ONLY he can access them, the
only way an admin can access them is to seize ownership themselves, change
the permissions, access the files and change the permissions back again.
The admin can NOT (as far as I know) set the ownership back to a different
person (you can only 'take ownership' you can't 'give ownership'), so the
CEO will be able to tell that a particular admin has potentially looked at
the files.

This does not stop the admin accessing the files, but it does mean he's in
trouble afterwards... The only way to stop the admin accessing the files is
to keep the files off the server...

(If you think about it, an administrator SHOULD be able to access the files
somehow - what happens if the CEO gets run over by a bus and the files
contain critical information, the replacement CEO needs to have access to
them so an administrator needs to be able to transfer them to the new CEO)

Paul VPOP3 - Internet Email Server/Gateway
paul@pscs.co.uk http://www.pscs.co.uk/



Relevant Pages

  • Re: File and email Security
    ... Subject: File and email Security ... Think about ownership also, ... > the CEO can access and that the network admins can't access without ... Permissions don't seem to be a solution because they ...
    (Focus-Microsoft)
  • Re: deleting users my document folders after disabling redirection
    ... There used to be a question on the old NT FAQ site: I set the permissions ... changing ownership is a right that could be taken away from certain ... Logging in as administrator and following your directions I still ... Why would my system admin account be restricted? ...
    (microsoft.public.windows.server.sbs)
  • Re: stupid mistake
    ... If you take ownership of the folder, which you should be able to do as the ... you will have the rights to redo the permissions. ... > admin or as an IT Admin. ...
    (microsoft.public.win2000.security)
  • RE: File and email Security
    ... Subject: File and email Security ... Chown.exe can be used to change ownership of files and apply it to anyone ... >only way an admin can access them is to seize ownership themselves, ... >the permissions, access the files and change the permissions back again. ...
    (Focus-Microsoft)
  • RE: File and email Security
    ... Subject: File and email Security ... Instruct the bank that only ... The admin can NOT set the ownership back to a different ...
    (Focus-Microsoft)