Re: Locking an "Administrator" out of a directory.
From: news.microsoft.com (sail33811_at_hotmail.com)
Date: 05/20/03
- Next message: Greg: "Re: Locking an "Administrator" out of a directory."
- Previous message: Steven L Umbach: "Re: Failure Audit Event"
- In reply to: Greg: "Re: Locking an "Administrator" out of a directory."
- Next in thread: Greg: "Re: Locking an "Administrator" out of a directory."
- Reply: Greg: "Re: Locking an "Administrator" out of a directory."
- Reply: jussi jaakonaho: "Re: Locking an "Administrator" out of a directory."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 20 May 2003 12:13:40 -0400
Well in this case I suppose what "matters" is relative. When a user creates
a file, they are the owner. If someone takes ownership away from that person
(to change the permissions), the properties on that file will show that the
creator is no longer the owner. So we would know the file had been tampered
with. Again, it does not prevent the user from accessing the file, but it
leaves a trail somewhere "other" than the logs (which can be cleared). So in
our scenario I do not see where the log would matter, because the only way
the admin could put the ownership back is to log in as that user (make them
an administrator) and change the ownership back However, he does not know
their password. Resetting their password would trigger the user something
had changed. None of this involves the logs.
I suppose he could use a password hacker, but personally I don't think he's
playing on that level. Which is part of the reason he will likely be
replaced.
> If you really want to deter an admin to have malicious access to data: at
> least crypt them, backup them in a physical place the admin cannot access
> and keep the crypto key secure.
In a domain, the admin is a recovery agent by default. Is there a way to
prevent the Admin from being a recovery agent? If so that would help. If not
we're back to the same cycle of problems.
Thanks.
"Greg" <greg@none.none> wrote in message
news:3eca4ac9$0$11542$626a54ce@news.free.fr...
> Sorry but the logs matter as the admin has so many ways to have access to
> files not using its accounts.
> I would recommend, at a minimum, to have audit turned on (failures and
> success) for these directories and the user have a strong password changed
> quite frequently.
>
> If you really want to deter an admin to have malicious access to data: at
> least crypt them, backup them in a physical place the admin cannot access
> and keep the crypto key secure.
>
> Hope this helps.
>
> "news.microsoft.com" <sail33811@hotmail.com> a écrit dans le message de
> news:uSiylFuHDHA.1656@TK2MSFTNGP10.phx.gbl...
> > Actually, the logs do not matter, because you can always check to see
who
> > the owner is of a file. If the owner suddenly becomes the network admin
> > instead of the creator, we'll no something is up. He can not grant
> ownership
> > back to the creator without their password. He could reset their
password,
> > but again the user would know.
> >
> > Thanks.
> >
> > "Keith W. McCammon" <km@km.com> wrote in message
> > news:OST8UBuHDHA.588@TK2MSFTNGP10.phx.gbl...
> > > > and would thereby leave a trail. I.e., it wouldn't stop him, but it
> > > > would force him to incriminate himself.
> > >
> > > Assuming the event logs don't disappear...
> > >
> > >
> >
> >
>
- Next message: Greg: "Re: Locking an "Administrator" out of a directory."
- Previous message: Steven L Umbach: "Re: Failure Audit Event"
- In reply to: Greg: "Re: Locking an "Administrator" out of a directory."
- Next in thread: Greg: "Re: Locking an "Administrator" out of a directory."
- Reply: Greg: "Re: Locking an "Administrator" out of a directory."
- Reply: jussi jaakonaho: "Re: Locking an "Administrator" out of a directory."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
