RE: Directory Security

From: Robert Clark (rclark@texascellular.com)
Date: 10/01/01 

From: "Robert Clark" <rclark@texascellular.com>
To: Jean-François Asselin <jfasselin@micrologic.ca>, "Nicholas & Anthony McKenzie" <themac@iinet.net.au>, "Security Basics" <SECURITY-BASICS@SECURITYFOCUS.COM>
Subject: RE: Directory Security
Date: Mon, 1 Oct 2001 15:14:19 -0500
Message-ID: <OJEEKHIMGANDCKDDIFILKEKMCCAA.rclark@texascellular.com>

What's wrong with having one or two trrusted admins, and giving support
personnel Power User or less status? Then they can't change anything without
the permission of the Admin.

-----Original Message-----
From: Jean-François Asselin [mailto:jfasselin@micrologic.ca]
Sent: Monday, October 01, 2001 8:13 AM
To: Nicholas & Anthony McKenzie; Security Basics
Subject: RE: Directory Security

> -----Original Message-----
> From: Nicholas & Anthony McKenzie [mailto:themac@iinet.net.au]
> Sent: Thursday, September 27, 2001 10:52 PM
> To: Security Basics
> Subject: Re: Directory Security
> Situation: Direcotrs, CEO, and General Managers dont want
> people accessing files within their own personal home
> directories that contain confidential material such as staff
> salaries, budgets, pay reivews etc.
> Is it possible to (once created) NOT to allow administrative
> access or access to any group of admins to a home directory
> of a CEO/Director etc that contains such classified
> information? ie put a block on all people except the owner.

No. Admins can always take ownership and then change permissions.

> PS: and putting aside password protecting/encrypting files.

Sorry, but you mentioned your own solution in your own restrictions. You
could use EFS and remove the recovery certificate from the certificate
store, put iot on a floppy, which would be kept in a secure place out of
reach of admins.

You can also enable auditing, so that anyone accessing the files would
be known, but a crafty admin could always disable auditing before doing
it... Still, there would be traces of that.

Quantcast