RE: File and email Security

From: Sobie David (David.Sobie@sbt.siemens.com)
Date: 08/14/01 

Message-ID: <E5DDC0AC08E7D4119B7C00508B91BF49101CB2@usbgrexch11.us.abatos.com>
From: Sobie David <David.Sobie@sbt.siemens.com>
To: 'Ton Geurts' <geurts@vanveen.nl>, Paul Smith <paul@pscs.co.uk>, Todd Schubert <tschubert@jorycapital.com>, focus-ms@securityfocus.com
Subject: RE: File and email Security
Date: Tue, 14 Aug 2001 09:08:56 -0500

Chown.exe can be used to change ownership of files and apply it to anyone
you want

http://wwwthep.physik.uni-mainz.de/~frink/chown/readme.html

This is the link to the Readme file. The link to the download is at the top

-----Original Message-----
From: Ton Geurts [mailto:geurts@vanveen.nl]
Sent: Sunday, August 12, 2001 5:21 AM
To: Paul Smith; Todd Schubert; focus-ms@securityfocus.com
Subject: Re: File and email Security

Hi Paul,

>I may be wrong here (but I don't think so) - if the CEO seizes 'ownership'
>of the files and sets the permissions so that ONLY he can access them, the
>only way an admin can access them is to seize ownership themselves, change
>the permissions, access the files and change the permissions back again.
>The admin can NOT (as far as I know) set the ownership back to a different
>person (you can only 'take ownership' you can't 'give ownership'), so the
>CEO will be able to tell that a particular admin has potentially looked at
>the files.
>
>This does not stop the admin accessing the files, but it does mean he's in
>trouble afterwards... The only way to stop the admin accessing the files
>is to keep the files off the server...
>
>(If you think about it, an administrator SHOULD be able to access the
>files somehow - what happens if the CEO gets run over by a bus and the
>files contain critical information, the replacement CEO needs to have
>access to them so an administrator needs to be able to transfer them to
>the new CEO)

You're continuity problem can be very easily resolved. When the CEO gets
run over by a bus, reset his password. And the replacement CEO can use his
account.
The alternative is to put the CEO's password in a closed envelop in the
vault. Which is probably good practise when you use encryption like PGP.

GRTNX from a sunny beach,
Ton.

Relevant Pages

  • Re: File and email Security
    ... Subject: File and email Security ... Think about ownership also, ... > the CEO can access and that the network admins can't access without ... Permissions don't seem to be a solution because they ...
    (Focus-Microsoft)
  • Re: deleting users my document folders after disabling redirection
    ... There used to be a question on the old NT FAQ site: I set the permissions ... changing ownership is a right that could be taken away from certain ... Logging in as administrator and following your directions I still ... Why would my system admin account be restricted? ...
    (microsoft.public.windows.server.sbs)
  • Re: stupid mistake
    ... If you take ownership of the folder, which you should be able to do as the ... you will have the rights to redo the permissions. ... > admin or as an IT Admin. ...
    (microsoft.public.win2000.security)
  • RE: File and email Security
    ... Subject: File and email Security ... Instruct the bank that only ... The admin can NOT set the ownership back to a different ...
    (Focus-Microsoft)
  • RE: File and email Security
    ... Subject: File and email Security ... of the files and sets the permissions so that ONLY he can access them, ... The admin can NOT set the ownership back to a different ...
    (Focus-Microsoft)