Re: Win2K / Netware networking question

From: Yechiel Levin (ylevin@mamash.com)
Date: 02/09/03

  • Next message: Sven Fischer: "Encrypting again an already encrypted file increase security ?" 
    From: ylevin@mamash.com (Yechiel Levin)
Date: 9 Feb 2003 01:43:10 -0800

    See comments inline.

    Nick <Nick@dev.null> wrote in message news:<F4kxuPApyuQ+Ewim@greenhse.demon.co.uk>...
    >
    > The same thing happens at my place. We don't have access to HR or
    > Payroll but it is done by the admins working *with* those departments
    > and showing the managers there how to see exactly who has access to what
    > files. That way they know that we can't see their files, but we still
    > have the overall control and can give ourselves access with suitable
    > permission should an emergency occur (like someone deleting a load of
    > stuff or losing passwords etc). There are policies and procedures in
    > place that should work without running the risk of cutting parts of the
    > network off from those that *should* be responsible for managing it.

    Here's the thing: We want this small network to be autonomous, and we
    are taking administrative responsibility for it (see below). The
    users are not employees of the company, but outside researchers. The
    only corporate data that gets onto these machines is provided solely
    by us, and the only corporate data to be released from these machines,
    via any medium, can be released only by us.

    > However, if you use NDS, you can still do it by creating a container
    > that contains the servers and creating an admin for that container and
    > blocking the access to the other admins. Mind you, you would need the
    > rights in NDS to do it, and if I was ever asked to do that (and I
    > consider it dangerous) I'd probably create a backdoor anyway that I'd
    > hopefully never need. If you don't use NDS on those servers, any remote
    > control would give the admins the rights of whoever was logged in to the
    > machine and they could see whatever the logged in user could see. In
    > that case, you should insist that remote control is user initiated
    > rather than admin initiated so they never could be controlled without
    > your knowledge.

    1. We do use NDS, but our unit doesn't have the rights to do the kinds
    of things you're talking about.

    2. This mini-network contains no "servers", nor are we interested in
    it doing so.

    3. In the regular Novell NDS environment, is it possible to configure
    the Remote Control app to be exclusively user-initiated?

    > They couldn't log on to the machines if they didn't know any local
    > accounts and didn't use remote control, but since you said ZEN was in
    > use, chances are the accounts are created by ZEN in which case, again
    > they could logon using their Netware accounts where they will (or rather
    > should) have admin rights to the workstation.
    >
    > Your best bet is to get the powers that be to insist that the admins
    > remove their rights to see the files (if indeed they can) whilst
    > retaining the ability to add themselves back. Then you check who has
    > rights to the files periodically and instigate a policy that they have
    > to adhere to regarding access to sensitive information.
    >
    > Finally, are we talking Win2k servers or workstations? Where is the data
    > stored, who backs it up? If it's the admins, they have access to all
    > your data on tape anyway without anyone ever finding out if they
    > accessed it. You would need to backup your own files using your own tape
    > drives.

    Win2K Workstations. The data is stored on the two
    not-otherwise-connected workstations, while the third (which doubles
    as a regular Novell-networked workstation, see original post) is used
    to input and output data from the first two, as well as to back them
    up (a tape drive will be installed in it). We alone will have access
    to the backups.

    Hope that answers your questions.

    Relevant Pages

    • Re: Prevent changes to Administrator password
      ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Restricted Admins group to mitigate against what you propose Deji. ... you need to understand that permissions on the ...
      (microsoft.public.windows.server.active_directory)
    • Re: 2003 Domain Admins in NT4 Domain
      ... it seems that you only add the 2003\Domain Admins ... admin rights on a workstation in the NT4 domain. ... After adding these two groups into NT4's workstation's local Administrators ... >workstations are actually using a different DNS server. ...
      (microsoft.public.windows.server.migration)
    • Domain Global Groups in Workstation Local Admin Groups
      ... I want to create Global security groups, and populate the workstations local ... My problem is that I only want our functional software admins to have admin ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Prevent changes to Administrator password
      ... Restricted Admins group to mitigate against what you propose Deji. ... This posting is provided "AS IS" with no warranties and confers no rights! ... you need to understand that permissions on the ...
      (microsoft.public.windows.server.active_directory)
    • Re: tar or zipping files to which you have no explicit access?
      ... One thing you have to remember about NT and NTFS, deny rights take ... The admins are responsible or the users are responsible. ... After archiving the objects into to a single ... perhaps they need to have very strict permissions for code ...
      (microsoft.public.win2000.security)
    Loading