security paradox

From: Greg Lorriman (temp@lorriman.com)
Date: 09/27/02 

From: "Greg Lorriman" <temp@lorriman.com>
Date: Fri, 27 Sep 2002 20:24:07 +0100

I'm the admin on a small network. I have admin rights on the NT box and all
the attached computers. This allows me access to very sensitive information.
I don't want access to that information.

In order to avoid this problem I get a "Server Operator" account, and the
admin password is changed and only known to the managing director. The
managing director is not technical, but is capable of typing the password as
needed, with a 3rd person to act as a "chaperone" during any period that
admin access is needed by myself.

However this system is unworkable since admin access is required more
frequently than anticipated; the MD is constantly being troubled and the 3rd
person is fed up and bored.

How is this conundrum usually dealt with? AFAICS admin access is too
powerful, and I don't know of a "step down" that will allow server
administration while disallowing user folder access.

This must be a nightmare in a large network with multiple admins.

The system to which I refer is an NT server with win2k clients. The info to
which I am referring is that which newspapers would be interested in and so
this conundrum and a need for a solution is causing myself and my boss some
anxiety. It's not so much that I can't trust myself, but that there is no
real reason why the persons effected by this security issue should trust me,
and nor anyone who might replace me. There's is also the issue of leak
detection : by having just one individual with the admin password restricts
accountability somewhat. If an enquiry were launched into a breach of
security myself and my boss want to be as protected as possible.

Anyone got more of a clue than we have?

A decent book recommendation would be lovely too!

Greg

Relevant Pages

  • Re: Certification Question
    ... someone they won't hardly look at you unless you have a MCSA and CCNA ... Basically, understanding basic server protocols, ... functions (helpdesk, server admin, network/internet admin). ... The CCNA will allow you to understand basic network ...
    (comp.dcom.sys.cisco)
  • Re: Vista Bus to SBS2003R2 connectcomputer problems . . .
    ... On the Vista Workstation, right click on the IE icon on the desktop and choose run as Adminstrator ... protected mode also add the server FQDN or IP to the list of trusted sites. ... Also tried all flavours of running the procedure with admin rights. ... Small Business Server Network Configuration Wizard: ...
    (microsoft.public.windows.server.sbs)
  • Re: New At Network Configuration
    ... server and joined it to the DC. ... considered running a hardware firewall instead? ... You only need one internal network, and the machines on it only need ... workstaions connect via the admin computer to the network ...
    (microsoft.public.windows.server.networking)
  • Re: Administrator Cant log into a DC unless the DC can see a GC
    ... with an admin being denied access to a resource because a GC is unavailable. ... This provides a situation where none admins can gain access to the network ... As long as the non-GC server can see a GC server then I can use ... >> administrator account and log in fine. ...
    (microsoft.public.win2000.active_directory)
  • I have an unusual upgrade scenario. Please advise.
    ... strip out Exchange 2000 from the AD before you start. ... >I'm an ex-NT4 administrator that hasn't done much admin ... >previous network admin has left me with a bit of a mess ... >The last admin attempted to add an Exchange 2000 server ...
    (microsoft.public.exchange.setup)
Loading