Re: Win2K / Netware networking question
From: Nick (Nick@dev.null)
Date: 02/07/03
- Next message: Barry Margolin: "Re: DOD 5200.28-STD capable OS?"
- Previous message: Don Kelloway: "Re: Tracking Down People and Businesses"
- In reply to: Yechiel Levin: "Re: Win2K / Netware networking question"
- Next in thread: Yechiel Levin: "Re: Win2K / Netware networking question"
- Reply: Yechiel Levin: "Re: Win2K / Netware networking question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Nick <Nick@dev.null> Date: Thu, 6 Feb 2003 23:15:53 +0000
In article <763bdc07.0302060240.5bd4d603@posting.google.com>, Yechiel
Levin <ylevin@mamash.com> writes
>First of all, we're ("we" is the Data Security group, btw) not
>interested in "hiding" parts of the network from the admins. The
>admins will have full knowledge of the existence of these machines.
>What we don't want is for the admins to have any access to the
>sensitive files on these machines. There is plenty of precedence for
>this. In every company I've worked at (as a sysadmin, mind you), the
>admins have not had any access to payroll information, for example.
The same thing happens at my place. We don't have access to HR or
Payroll but it is done by the admins working *with* those departments
and showing the managers there how to see exactly who has access to what
files. That way they know that we can't see their files, but we still
have the overall control and can give ourselves access with suitable
permission should an emergency occur (like someone deleting a load of
stuff or losing passwords etc). There are policies and procedures in
place that should work without running the risk of cutting parts of the
network off from those that *should* be responsible for managing it.
However, if you use NDS, you can still do it by creating a container
that contains the servers and creating an admin for that container and
blocking the access to the other admins. Mind you, you would need the
rights in NDS to do it, and if I was ever asked to do that (and I
consider it dangerous) I'd probably create a backdoor anyway that I'd
hopefully never need. If you don't use NDS on those servers, any remote
control would give the admins the rights of whoever was logged in to the
machine and they could see whatever the logged in user could see. In
that case, you should insist that remote control is user initiated
rather than admin initiated so they never could be controlled without
your knowledge.
They couldn't log on to the machines if they didn't know any local
accounts and didn't use remote control, but since you said ZEN was in
use, chances are the accounts are created by ZEN in which case, again
they could logon using their Netware accounts where they will (or rather
should) have admin rights to the workstation.
Your best bet is to get the powers that be to insist that the admins
remove their rights to see the files (if indeed they can) whilst
retaining the ability to add themselves back. Then you check who has
rights to the files periodically and instigate a policy that they have
to adhere to regarding access to sensitive information.
Finally, are we talking Win2k servers or workstations? Where is the data
stored, who backs it up? If it's the admins, they have access to all
your data on tape anyway without anyone ever finding out if they
accessed it. You would need to backup your own files using your own tape
drives.
HTH
-- Nick
- Next message: Barry Margolin: "Re: DOD 5200.28-STD capable OS?"
- Previous message: Don Kelloway: "Re: Tracking Down People and Businesses"
- In reply to: Yechiel Levin: "Re: Win2K / Netware networking question"
- Next in thread: Yechiel Levin: "Re: Win2K / Netware networking question"
- Reply: Yechiel Levin: "Re: Win2K / Netware networking question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
