Re: File and email Security

From: Derek D. Martin (ddm@mclinux.com)
Date: 08/10/01


Date: Fri, 10 Aug 2001 17:03:12 -0400
From: "Derek D. Martin" <ddm@mclinux.com>
To: Todd Schubert <tschubert@jorycapital.com>
Subject: Re: File and email Security
Message-ID: <20010810170311.J13041@mclinux.com>

Todd Schubert said:

> A couple things to add to my original post....
>
> 1. Email and file server operating systems are NT 4.0 sp6
> 2. Mail server is exchange
> 3. This is not a trust issue. This is a legal/contractual issue between our
> company and another company. Access to the files and emails must be very
> limited. The CEO has no problems trusting me but he has his hands kind of
> tied due to the legalities of the situation. There are also outsourced tech
> people who have admin access to parts of the system although they do not
> have physical access without internal people present. The CEO understands
> that I have to administer the network and will be able to get through
> anything I put up to safeguard the files. The issue is that the company
> must be seen as doing everything possible to ensure that the files and
> emails are confidential.

Regardless of your contracts, it really is a trust issue. The system
administration team must, in order to do their jobs, have access to
any and all the data which they manage for your company. It's
basically impossible to partition off data which exists on any machine
your admin team administers such that they can't get at it. They need
access to the data in order to do their job, which includes (but is
not limited to) backing up the data, examining the data if it does not
play nice with your application so they can see what is causing the
problem, distributing your data to another person in the event you
leave the company, protecting your data from others who should not
have access to it, etc.

Because of this, your admins will have physical access to the data.
Having that access, they basically have access to every aspect of your
company, and if they want to screw you over, it will probably be
pretty easy for them to do it. If they have physical access, there's
usually very little you can do to keep them from getting their hands
on the data, and if they really want to they'll usually figure out a
way to make a copy of it without anyone knowing about it (such as
copying a raw disk partition, or making a complete copy of the hard
disk, etc). This can be done during "off hours" while the machine is
down for "regularly scheduled maintenance" or at other opportune
times, when they have legitimate reason to both have unrestricted
access to the machine and have no one around to watch over them.

You must therefore hire system administrators that you trust
absolutely. If you can do that, then you can exclude them from access
to your data as a matter of policy, rather than by physical or
software limitations, and that should be sufficient. And if it isn't,
then it doesn't matter anyway, because if they want your data, they'll
get it. Period.

About the only thing you can do in this case is force both sides to
use encryption when sharing their data. This is pretty good
protection, but still not 100% though... If your CEO is not careful
about managing his keys, or the machine on which he reads this mail is
not properly secured (yes, from your system administrators), then a
clever admin (or other person with physical or remote access) may
still potentially be able to get at the data by, for example, stealing
his key (assuming they can get or crack his passphrase, assuming he
uses one), or by copying the document from the memory in his computer,
etc.

You could also have him use a different mail server which only he has
any access whatsoever to, which is in a locked room, on a network
segment which is completely seperate from the one the admin team uses
(so as to prevent them from sniffing the documents off the wire),
which of course means that your CEO will need to become a capable
system administrator.

Additionally, by attempting to partition data off from your admins,
you're making it easy for them to feel alienated and untrusted. This
is probably a BAD thing to do to people who basically already have
unlimited access to every aspect of your company...

-- 
Derek Martin
Senior System Administrator
Mission Critical Linux
martin@MissionCriticalLinux.com



Relevant Pages

  • Re: security log + unauthorized lgons?
    ... Dan Shallbetter typed: ... alaram system physical access is not a concern. ... I read a best practice white paper once about renaming the admin ... me against that due to other inter-dependencies the admin account ...
    (microsoft.public.windows.server.sbs)
  • Re: Needing a guide/tutorial please
    ... MySQL (for database driven mail user administration) ... Postfix Admin <- this is the reason for the need to have a mysql driven ... I want to setup a mail server with all these elements, ...
    (freebsd-questions)
  • RE: penetration test in a Windows 2000/NT network
    ... Given that you have physical access to the computer, ... By bruteforcing and NOT overwriting the local admin password, ... penetration test in a Windows 2000/NT network ... with which I can crack NTLMv2 hashes. ...
    (Pen-Test)
  • [Full-Disclosure] RE: Disabling Cached Logon Credentials
    ... Even with physical access you want to do what you have ... physical server only to change the admin password and do some hack (i.e. ... >Subject: Disabling Cached Logon Credentials ...
    (Full-Disclosure)
  • Needing a guide/tutorial please
    ... Looking for a guide online somewhere that will walk me through setting up a mail server with the following items on it. ... Postfix Admin <- this is the reason for the need to have a mysql driven mail user database. ... I want to setup a mail server with all these elements, have postfix, squirrelmail and dovecot be database driven and somehow create a mailbox tree for the webmail users for saved, spam, sent and trashcan folders. ...
    (freebsd-questions)