Re: Administrator rights to folder

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 03/08/04 

Date: Mon, 8 Mar 2004 12:53:22 -0800

There's pretty good documentation about how auditing works. Here's one
example of the Win2k docs:
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/acl_audit_file_folder.htm

Help and Support on XP/Server 2003 is actually helpful, too. Or you can
always google for more information ("site:microsoft.com" will give you only
hits from Microsoft). 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Tomppa" <tofors99@hotmail.com> wrote in message
news:Ope92FRBEHA.1600@tk2msftngp13.phx.gbl...
> Hi!
> Auditing sound like a good start. Have activated auting on a test folder
for
> the administrator. But what do I have to do more, to get success/failure
> events in the event log?
>
> Tomppa
>
>
> "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i meddelandet
> news:%23UatYqvAEHA.2800@tk2msftngp13.phx.gbl...
> > Regardless, a domain admin can install a keystroke logger or a filter
> driver
> > that snoops files as they are opened.  Encryption doesn't really stop an
> > admin if the file is ever opened again (or, perhaps if the user ever
logs
> > onto a domain machine again).
> > If you want to see what your admins do to files, use auditing.  Even if
> they
> > clear the log, there will be a log of their clearing it.
> > If you don't trust them at all they probably shouldn't be admins.
> > -- 
> > Drew Cooper [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Dusko Savatovic" <savatovic.removespam@hotmail.com> wrote in message
> > news:e6E90$rAEHA.3352@TK2MSFTNGP09.phx.gbl...
> > > They can hide stuff if they use encryption.
> > > However, if they use EFS in domain environment, it might be possible
for
> > > domain admins to recover encrypted content.
> > >
> > > In order to prevent casual recovery in domain environment, the
creation
> of
> > > recovery agents should be strictly monitored and EFS recovery
> certificate
> > > should be exported (with option "Delete private key if export is
> > > successful") from the user Administrator of the
> > > First-root-domain-controller.
> > >
> > > Also, the security is not just setting permissions and encryption. It
is
> a
> > > process of constant monitoring, evaluation and adaptation to new
> > situations.
> > > Think of it as leaving expensive, secure ATM full of money in the open
> > field
> > > without any supervision.
> > >
> > > Dusko Savatovic
> > >
> > >
> > >
> > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > news:O2DHX9nAEHA.1452@TK2MSFTNGP09.phx.gbl...
> > > > So the company´s "leadgroup" can´t "hide" anything from the domain
> > > > admin.......
> > > >
> > > > Tomppa
> > > >
> > > > "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> skrev i
meddelandet
> > > > news:ezdI5niAEHA.2316@TK2MSFTNGP10.phx.gbl...
> > > > > You can't.  That's what it means to be a domain administrator.
> > > > > -- 
> > > > > Drew Cooper [MSFT]
> > > > > This posting is provided "AS IS" with no warranties, and confers
no
> > > > rights.
> > > > >
> > > > >
> > > > > "Tomppa" <tofors99@hotmail.com> wrote in message
> > > > > news:OlLaG4eAEHA.1456@TK2MSFTNGP09.phx.gbl...
> > > > > > Hi
> > > > > >
> > > > > > Can I prevent a Domain admin to have access to a folder on the
DC?
> > > > > > If I only give access to user "Bill" the administra still can
> right
> > > > click
> > > > > > the folder and give himself more rights.
> > > > > >
> > > > > > Tomppa
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Administrator rights to folder
    ... Auditing sound like a good start. ... > If you don't trust them at all they probably shouldn't be admins. ... >> They can hide stuff if they use encryption. ... >> In order to prevent casual recovery in domain environment, ...
    (microsoft.public.windows.server.security)
  • Re: Administrator rights to folder
    ... If you don't trust them at all they probably shouldn't be admins. ... > They can hide stuff if they use encryption. ... > recovery agents should be strictly monitored and EFS recovery certificate ... > "Tomppa" wrote in message ...
    (microsoft.public.windows.server.security)
  • RE: Laptop Encryption & Write Permissions
    ... laptop and software remotely managing the laptop. ... Laptop Encryption & Write Permissions ... capabilities of bitlocker will allow admins to access drives in the ...
    (Focus-Microsoft)
  • Re: recover mit ExMerge (Ex2003)
    ... Orga Admins und den Domain Admins mit drin), ... Requirements for Using ExMerge with a Recovery Storage Group ...
    (microsoft.public.de.german.exchange2000.general)
  • RE: software to control domain administrators
    ... Trustworthy Admins already do this with the explicit knowledge that they ... reverse that auditing, which the auditing mechanism should reflect ... Honestly, if you are looking for something to audit domain admins, then ... Si ha recibido este mensaje por error, ...
    (Security-Basics)