RE: Controlling Admin Access
From: Michael Bitow (mbitow_at_GuardianCapital.com)
Date: 02/02/04
- Previous message: Harlan Carvey: "Re: Controlling Admin Access"
- Maybe in reply to: Michael Cox: "Controlling Admin Access"
- Next in thread: Kevan Smith: "RE: Controlling Admin Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 2 Feb 2004 11:47:08 -0500 To: <focus-ms@securityfocus.com>
Hi,
You can controll access by individual as well as group. In the example
you give of an executives file storage, it may be a good idea to only
allow the exec and maybe a trusted top admin person access to the folder
and sub-folders. If you wanted, you could also turn on auditing for
said folders and files, which will do a log entry for any and all
access, authorized or not.
The super paranoid would probably limit access by individual user, turn
on all auditing, and then PGP the data.
Hope this helps
Also Michael
-----Original Message-----
From: Michael Cox [mailto:mscox42@yahoo.com]
Sent: Friday, January 30, 2004 2:56 PM
To: focus-ms@securityfocus.com
Subject: Controlling Admin Access
I'd like to solicit the group's input on the
following.
Domain administrators, by definition, are going to
have complete access to member computers.
Is anyone doing anything to mitigate the potential
risks involved with access to, say, an executive's
computer which could have very sensitive data on it
(mergers and acquisitions, for example)?
One obvious answer is encryption, but I'm curious what
is available in the Windows world as I'm not as
familiar with that.
Even if something like object level auditing was
enabled and the logs sent to a remote host, couldn't
the admin, as a first step, disable this logging?
Please answer both 1) what is possible, and 2) what is
your organization or other organizations you know of
doing about this (if anything).
Many thanks in advance!
Michael
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Harlan Carvey: "Re: Controlling Admin Access"
- Maybe in reply to: Michael Cox: "Controlling Admin Access"
- Next in thread: Kevan Smith: "RE: Controlling Admin Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
