Re: denying access to the Administrator

From: - AJS (A)
Date: 04/15/03


From: "- AJS" <A Smith at window products dott com>
Date: Mon, 14 Apr 2003 16:55:00 -0700


"Aidee Roman" <Aroman1432@nyc.rr.com> wrote in message
news:NO96a.40200$ma2.11684597@twister.nyc.rr.com...
> Or we can go with simply renaming the Windows NT/2000 admin account in the
> regkeys.

Not in a Domain. The local admin account is not required to read files. A
person with Admin rights to your network can circumvent any OS based
security feature you throw at him except File Encryption. He can sniff your
passwords and crack them, he can copy the SAM and crack it. He can just
change your password and then use it to log in as you, if he doesn't already
have it stored in a file somewhere.

> > > I have a genuine reason for my request. The person at my place of
> > > work who generally controls the administator account has taken to
> > > snooping around in other users' private files and I would like to put
> > > a stop to this.

The bottom line is that if you can't trust your admin, you are in deep, deep
water.

Fire the guy. Seriously, don't mess around with this. An ethically
challenged admin is an ugly, scary thing.

Enable logging, collect the proof, and get the results to someone that
matters. This is a very serious breach of trust. The first thing I teach my
admins: "Any abuse like this and they are on the street. No excuses."

- AJS

Note: I use the pronoun 'he' as a generic reference. I intend no offence or
inference, but merely to write a sentence that doesn't jar the reader. If
you can pony up a gender neutral pronoun that works exactly the way '(s)he'
doesn't, I will be happy to try it out.

----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---