Re: Administrator Access

From: Steven L Umbach (sumbach_at_nospam-ameritech.net)
Date: 12/18/03 

Date: Thu, 18 Dec 2003 01:29:35 GMT

The only possible way is encryption of the files and even then it would need
to be a computer in his possession that can remain physically secured at
least until he exports/deletes the private keys. W2K offers EFS encryption,
but requires a recovery agent also which by default is the local
administrator on a non domain machine and the original administrator account
on the first domain controller of a domain. The problem with EFS is that as
long as the EFS user and recovery agent private keys used for decryption
remain on the computer, then it is possible for someone with physical access
to access those files by using the recovery agent if they are a legitimate
administrator or by a malicious person cracking or resetting the
administrator password or logging on as the user if they have a weak
password. Even if file are EFS encrypted on a server share they may be
sniffed off the wire becaue there is no encryption on the network unless
ipsec or vpn is used. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

"Steve Boland" <anonymous@discussions.microsoft.com> wrote in message
news:019001c3c503$df609b50$a101280a@phx.gbl...
> I have a very paranoid boss at a W2K Server site who wants
> to stop anyone, including the administrator, from
> accessing his files on the file server. I realise this is
> not desirable for any number of reasons but is it even
> possible ?
>
> You can certainly set the sharing and security permissions
> to keep the administrator out but then he only has to sit
> down at the server and take ownership again.
>
> Any thoughts appreciated.
>
> Steve Boland CCNA

Relevant Pages

  • Re: migrate encrypted shared folder
    ... I try to copy profile from old server to new but profile is recreated ... Try moving user's profiles from old server to new server. ... folder where it was copied to was marked for encryption. ... server -- you left EFS encryption keys on old server and users won't be able ...
    (microsoft.public.windows.server.general)
  • [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise management system for large amounts of HP ... The web server is a modular service ... HP Web JetAdmin uses it's own encryption. ...
    (Securiteam)
  • Re: Advice needed on secure remote datacenter and secure communication
    ... fair bit of time working with windows server, ... as for VPN, ... Addressing your issue with PGP encryption on sensitive files, ...
    (alt.computer.security)
  • Re: Proposal for Lite Encryption for Login Form without SSL
    ... the form uses javascript to hash the password ... This way the password is not sent to the server ... This would be the equivalent to a public key in public key encryption ...
    (comp.lang.php)
  • Re: Printing Problems (2nd request)
    ... lpstat: Unable to connect to server: Connection refused ... # Encryption: whether or not to use encryption; ... got two printers connected, both of which used to work fine. ... Deny From All ...
    (Fedora)