Re: Locking an "Administrator" out of a directory.

From: Greg (greg_at_none.none)
Date: 05/20/03 

Date: Tue, 20 May 2003 18:50:27 +0200

Hi,

> I suppose he could use a password hacker, but personally I don't think
he's
> playing on that level. Which is part of the reason he will likely be
> replaced.

I was not assuming he was bad enough not being able to use a password
cracker :-) But an admin can use other ways to read files without cracking
the password and resetting the securities. Adding audit logs adds a layer
of security that won't help malicious access. Also without logs, it will be
more difficult to have the proof of malicious access. Please also note: I do
not think that deleting part or all the files will let his ownership
modification on file entries!

> In a domain, the admin is a recovery agent by default. Is there a way to
> prevent the Admin from being a recovery agent? If so that would help. If
not
> we're back to the same cycle of problems.

True, I should have wrote a third party crypto-tool, but I also wrote to
secure the key...

Hope this helps.

"news.microsoft.com" <sail33811@hotmail.com> a écrit dans le message de
news:%23Ncx9ouHDHA.3056@tk2msftngp13.phx.gbl...
> Well in this case I suppose what "matters" is relative. When a user
creates
> a file, they are the owner. If someone takes ownership away from that
person
> (to change the permissions), the properties on that file will show that
the
> creator is no longer the owner. So we would know the file had been
tampered
> with. Again, it does not prevent the user from accessing the file, but it
> leaves a trail somewhere "other" than the logs (which can be cleared). So
in
> our scenario I do not see where the log would matter, because the only way
> the admin could put the ownership back is to log in as that user (make
them
> an administrator) and change the ownership back However, he does not know
> their password. Resetting their password would trigger the user something
> had changed. None of this involves the logs.
>
> I suppose he could use a password hacker, but personally I don't think
he's
> playing on that level. Which is part of the reason he will likely be
> replaced.
>
> > If you really want to deter an admin to have malicious access to data:
at
> > least crypt them, backup them in a physical place the admin cannot
access
> > and keep the crypto key secure.
>
> In a domain, the admin is a recovery agent by default. Is there a way to
> prevent the Admin from being a recovery agent? If so that would help. If
not
> we're back to the same cycle of problems.
>
> Thanks.
>
> "Greg" <greg@none.none> wrote in message
> news:3eca4ac9$0$11542$626a54ce@news.free.fr...
> > Sorry but the logs matter as the admin has so many ways to have access
to
> > files not using its accounts.
> > I would recommend, at a minimum, to have audit turned on (failures and
> > success) for these directories and the user have a strong password
changed
> > quite frequently.
> >
> > If you really want to deter an admin to have malicious access to data:
at
> > least crypt them, backup them in a physical place the admin cannot
access
> > and keep the crypto key secure.
> >
> > Hope this helps.
> >
> > "news.microsoft.com" <sail33811@hotmail.com> a écrit dans le message de
> > news:uSiylFuHDHA.1656@TK2MSFTNGP10.phx.gbl...
> > > Actually, the logs do not matter, because you can always check to see
> who
> > > the owner is of a file. If the owner suddenly becomes the network
admin
> > > instead of the creator, we'll no something is up. He can not grant
> > ownership
> > > back to the creator without their password. He could reset their
> password,
> > > but again the user would know.
> > >
> > > Thanks.
> > >
> > > "Keith W. McCammon" <km@km.com> wrote in message
> > > news:OST8UBuHDHA.588@TK2MSFTNGP10.phx.gbl...
> > > > > and would thereby leave a trail. I.e., it wouldn't stop him, but
it
> > > > > would force him to incriminate himself.
> > > >
> > > > Assuming the event logs don't disappear...
> > > >
> > > >
> > >
> > >
> >
>
>

Relevant Pages

  • Re: How to log off switched-out user
    ... > A user logs in. ... Is it possible for the admin to kill all processes ... in virtual memory, not taking up much real memory. ...
    (comp.sys.mac.system)
  • RE: How much do you disclose to customers?
    ... our IP's blocked by an IPS or by an unwitting admin. ... from multiple machines has its advantages, especially when given a class C or larger to split up the time. ... Logs are definitly important, one thing I wish automated scanners ... >> I have a question on customer disclosure. ...
    (Pen-Test)
  • Re: xp event viewer
    ... >> Edition,novell and unix.On my xp boxes the users don't ... >> have admin rights.My problem is the event viewer fills ... These event logs ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Locking an "Administrator" out of a directory.
    ... If someone takes ownership away from that person ... creator is no longer the owner. ... the admin could put the ownership back is to log in as that user (make them ... None of this involves the logs. ...
    (microsoft.public.win2000.security)
  • Re: How much do you disclose to customers?
    ... our IP's blocked by an IPS or by an unwitting admin. ... from multiple machines has its advantages, especially when given a class C or larger to split up the time. ... Logs are definitly important, one thing I wish automated scanners ... how do testers handle multiple IP addresses? ...
    (Pen-Test)