Re: Deny folder access for administrators
- From: "Ondrej Sevecek" <ondra at my_surname dot com>
- Date: Tue, 24 Jan 2006 10:57:22 +0100
First, be sure when anybody has any ability other then the pure USERS group,
he can do just anything with the system he wants. The only thing you can do
with this is to log everything and make them sign statemets that prevent
them from the malitious actions.
To your question:
First, you *can* explicitly *deny* access to the files for administrators.
The problem with this would be the adminstrator's possibility to *take
ownership* and when one have ownership, he can change permissions. But you
could audit access to the files so that you have information about the
malitious admins accessing the files. Also, you could prevent them from
accessing the server at all. They also should sign a statement that would
prevent them from access.
The other method is to encrypt the files with EFS (simply right click the
file or folder and select *encrypt contents to secure data*). But be sure to
know all the problems that arrise with the EFS encryption, especially on
remote shared folders. This EFS requires some PKI features and is not so
simple to implement.
Some problem with the EFS will be the feature called "EFS Recovery Agents"
that can be installed by domain administrators. The recovery agent can read
and decrypt all the content. Again, you can restrict who can assign the
recovery agents and again, you cannot physically prevent admins from doing
it indirectly. But again, you can log everything and then penalize them when
the rule is crossed.
Also, there is a number of "transparent" encryption systems that can
transparently encrypt files with users inserting passwords of their own when
the file is accessed. The file is then transparently decrypted without an
impact on application. But be sure to check with the vendor what exactly
they support, if they support remote files, if the encrypion is really
transparent, if it is file level encryption or a "virtual disk" encryption
(the system would create a file that would show up as a virtual disk volume)
or the whole disk encryption, if it supports more than one user etc.
O.
"M.J.Leidekker" <ict.mjl@xxxxxxxxxxx> wrote in message
news:uYAMZiMIGHA.3144@xxxxxxxxxxxxxxxxxxxxxxx
> Working in a company with a windows 2000 domain controller, and a
> windows 2003 server, the financial department asked me if it is
> possible to put files on the network and deny every administrator
> access to these files.
>
> Backup's of these files are made by the financial department, so there
> is no need for the backup operator to access these files. Giving them
> ownership of the files is not enough for them, because every
> administrator can take back the ownership.
>
> Using zip or rar to encrypt these files is not workable because the
> finacialsoftware must be able to read/write to these files.
>
> Tia,
> MJL
> --
>
.
- Follow-Ups:
- Re: Deny folder access for administrators
- From: M.J.Leidekker
- Re: Deny folder access for administrators
- References:
- Deny folder access for administrators
- From: M.J.Leidekker
- Deny folder access for administrators
- Prev by Date: Deny folder access for administrators
- Next by Date: Re: Deny folder access for administrators
- Previous by thread: Deny folder access for administrators
- Next by thread: Re: Deny folder access for administrators
- Index(es):
Relevant Pages
|
