Re: security paradox

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 09/28/02 

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Sat, 28 Sep 2002 00:02:27 -0400

If the data is that sensitive it should be encrypted with PGP or some other
third party encryption package that being an administrator doesn't allow
access to. 

--
---
Joe Richards
www.joeware.net
---
"Greg Lorriman" <temp@lorriman.com> wrote in message
news:OCtPetlZCHA.3736@tkmsftngp08...
>
> I'm the admin on a small network. I have admin rights on the NT box and
all
> the attached computers. This allows me access to very sensitive
information.
> I don't want access to that information.
>
> In order to avoid this problem I get a "Server Operator" account, and the
> admin password is changed and only known to the managing director. The
> managing director is not technical, but is capable of typing the password
as
> needed, with a 3rd person to act as a "chaperone" during any period that
> admin access is needed by myself.
>
> However this system is unworkable since admin access is required more
> frequently than anticipated; the MD is constantly being troubled and the
3rd
> person is fed up and bored.
>
> How is this conundrum usually dealt with? AFAICS admin access is too
> powerful, and I don't know of a "step down" that will allow server
> administration while disallowing user folder access.
>
> This must be a nightmare in a large network with multiple admins.
>
> The system to which I refer is an NT server with win2k clients. The info
to
> which I am referring is that which newspapers would be interested in and
so
> this conundrum and a need for a solution is causing myself and my boss
some
> anxiety. It's not so much that I can't trust myself, but that there is no
> real reason why the persons effected by this security issue should trust
me,
> and nor anyone who might replace me. There's is also the issue of leak
> detection : by having just one individual with the admin password
restricts
> accountability somewhat. If an enquiry were launched into a breach of
> security myself and my boss want to be as protected as possible.
>
> Anyone got more of a clue than we have?
>
> A decent book recommendation would be lovely too!
>
> Greg
>
>
>
>
>

Relevant Pages

  • Re: Alternative to Windows Explorer
    ... One drawback if you use that "runas" approach then you really won't know ... Administrator versus their using their actual account. ... admin, a variation of their normal account. ... > pen testing experience in our state of the art hacking lab. ...
    (Security-Basics)
  • Re: Impact of removing administrative rights in an enterprise running XP
    ... The user probably had to be an administrator to get the virus in the ... You just apply the patch as an admin, ... Regardless, to speak more to the OP, yes, your support model will most ... Impact of removing administrative rights in an enterprise ...
    (Focus-Microsoft)
  • Re: firewall on budget ?
    ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Keep admins off of client machines
    ... The 'Domain Administrator' account is ... > administration person from the domain admin account is complex and fraught ... > change the Domain Administrator password. ... > it takes a thorough understanding of such priveleges to do so. ...
    (microsoft.public.windows.server.sbs)
  • Re: Need limited domain admin rights user account.
    ... Are you saying there to create a custom group that would be ... > or how to give most of the permissions that a Domain Admin would have. ... > folders, can't change Administrator passwords, here is what you would ...
    (microsoft.public.windows.server.security)