Re: Securing Data from Administrators

From: Steven L Umbach (n9rou_at_N0sPaM-comcast.net)
Date: 09/22/04 

Date: Tue, 21 Sep 2004 17:43:59 -0500

EFS file can be shared by users but even this does not guarantee
confidentiality. A domain admin could easily create a Recovery Agent to give
himself access to the files that were created or opened at a pont in time
after he made himself a Recovery Agent. Also ownership is not a reliable way
to tell if an admin has accessed a file he originally had no permissions to
as an administrator can simply back up files and restore them somewhere else
to gain access.

If you can not trust your domain admins then one solution is to find some
one you can or manage the server yourselves [those in that security group]
by creating a domain in a separate forest and creating a forest trust to
allow users needed access to that server. Of course you will incure the
expense of two more domain controllers [one for redundancy]. --- Steve

There may be third party encryption solututions that use encryption but I
have not used one myself that can secure network shares/drives for specific
users. --- Steve

"iNF2700" <inf2700@hotmail.com> wrote in message
news:ZeKdnaRxp8227M3cRVn-jQ@giganews.com...
> Hi,
>
> We run Windows 2003 Server as well as Exchange 2003. There is data on the
> file server that should not be accessible to anybody except one specific
> security group. Basically management doesn't want the it staff to have
> access to certain directories. However the IT staff must be Domain
> Administrators in order to correctly do their job. Is there any way to
> achieve this ? I was going to use EFS but i think it will become difficult
> to share a large amount of files since the rights are applied to specific
> files..
>
> Any idea?
>
> Thanks
>
>

Relevant Pages

  • Re: Domain Admins Not Fully In Local Administrators
    ... ONLY REQUIRED ON THIS NEW SERVER WITH WINDOWS 2003! ... Windows 2003 domain controllers ... Domain Admin can login into the server "A" ... Domain Admin group is listed in local Administrators group ...
    (microsoft.public.security)
  • Re: Server Security
    ... In my opinion you want accountability for administrators and each administrator ... "The" administrator account should not be used and given a very long ... make sure that if there is sensitive information on that server, ... > name with domain admin rights on each. ...
    (microsoft.public.win2000.security)
  • Re: Exchange 2000 containers (Fields) not showing up in active directory!!
    ... Don't need to log on with a domain admin ID. ... exchange should be done, there is a chapter in the up and coming Windows Server ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>be managing users directly from domain controllers, ...
    (microsoft.public.win2000.active_directory)
  • Re: How can I prevent a TS user from TS or RDP to another server?
    ... And why do they need to be a Domain Admin in order to ... on the one server, then you can use standard methods of the ... to control where that domain user account may be used. ... I just want them to be able to TS or RDP to this box only and if they ...
    (microsoft.public.win2000.security)
  • Re: errors running scheduled tasks
    ... i changed the "run as" user to the domain admin ... Policy\Local Policies\User Rights Assignments ... "Log on as a batch job" thing, but i could not find that on the win2003 server ...
    (microsoft.public.windows.server.general)