RE: Controlling Admin Access
From: Kevan Smith (Kevan.Smith_at_tideworks.com)
Date: 02/02/04
- Previous message: Michael Bitow: "RE: Controlling Admin Access"
- Maybe in reply to: Michael Cox: "Controlling Admin Access"
- Next in thread: Randhir Vayalambrone: "Re: Controlling Admin Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 2 Feb 2004 10:16:42 -0800 To: "Michael Cox" <mscox42@yahoo.com>, <focus-ms@securityfocus.com>
Michael,
Your opening statement is absolutely correct and pretty well sums up
file access control within the domain. By definition, domain admins do
have complete control over all systems and files in the domain. I've
seen plenty of situations where users attempt to remove these
permissions to sensitive files. While this can be done both counter
productive as well as ineffective.
For instance, sensitive files still need to be backed up, and most
enterprise backup tools like to run as a domain admin (though this is
more a convenience factor than anything else). As such, remove Read
perms for 'Domain Admins', and your files can no longer be backed up,
nor restored if lost. The same principles holds true for other types of
file management, such as virus scanning, folder restructuring, DR
replication, etc.
Also, since Domain Admins still have the right to take ownership of any
file in the domain, it's a simple matter for the admin to regain access
to any file that's had it's ACL messed with.
Bottom line on your question 1, Somebody in the organization has to be
entrusted with the responsibility to manage all the files in his or her
domain, and that is the domain admin. However, while these admins must
by necessity be able to read all files in the domain, they don't
necessarily need to be able to make sense of the content of those files,
which is where encryption comes into play.
So, for question 2, encryption. While W2K does provide EFS to encrypt
files and folders, and this has its place, if you're explicitly trying
to restrict access to your domain admins, I don't suggest it. W2K
provides recovery agents (the domain 'Administrator' account by
default), as a backup in case the user loses their private key. If the
file's too sensitive to allow for a recovery agent, you're better off
using PGP and storing the private key on a couple disks locked in
separate safety deposit boxes in separate secure locations to protect
from loss due to fire or theft.
As for what I do, in the userdata folder, for each user I create a
plainly marked Public folder, and another Private folder, and make it
clear that anything in Public is readily accessible to others in the
user's department, and the Private folder is accessible only to the user
and domain admins, setting the DACLs accordingly (non-domain admins have
at most 'Change' perms).
In the infrequent case where I find we accidentally setup the user with
Full Control over a file/folder, and they use it to restrict access to
domain admins, I correct the issue and send them a brief message
explaining why domain admins must maintain access to all files and how
to install/use PGP to encrypt their files if they need more control.
Others may do it differently, but this has worked well for us.
Kevan Smith
Windows Technology Engineer
Tideworks Technology
MCSE (NT/2K), MCP+I, A+, ACT
-----Original Message-----
From: Michael Cox [mailto:mscox42@yahoo.com]
Sent: Friday, January 30, 2004 11:56 AM
To: focus-ms@securityfocus.com
Subject: Controlling Admin Access
I'd like to solicit the group's input on the following.
Domain administrators, by definition, are going to have complete access
to member computers.
Is anyone doing anything to mitigate the potential risks involved with
access to, say, an executive's computer which could have very sensitive
data on it (mergers and acquisitions, for example)?
One obvious answer is encryption, but I'm curious what is available in
the Windows world as I'm not as familiar with that.
Even if something like object level auditing was enabled and the logs
sent to a remote host, couldn't the admin, as a first step, disable this
logging?
Please answer both 1) what is possible, and 2) what is your organization
or other organizations you know of doing about this (if anything).
Many thanks in advance!
Michael
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Michael Bitow: "RE: Controlling Admin Access"
- Maybe in reply to: Michael Cox: "Controlling Admin Access"
- Next in thread: Randhir Vayalambrone: "Re: Controlling Admin Access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
