Re: Folder security question

Roger,

I agree to a certain extent. The information I am trying to limit is
payroll information. Having that information accessible to the IT department
is very tempting to look at and over time at least one person will look, then
talk. Now the information is out. I think it is irresponsible on my part to
not do my best in restricting this information. Thank you for your response.
Do you have any suggestions to help in this situation?


"Roger Abell [MVP]" wrote:

You could chase this back, etc. and then look and see that
ultimately there is the basic issue that if the admins cannot
be trusted then any config control put in place is not going
to accomplish what you are after.

Setting CFO and user as only allowed accounts per folder,
and having private from IT staff all passwords for local admin
accounts, places a hurdle in the way. However, any account
granted admin, heck even just power user, etc., access on the
machine, such as by means of Domain Admins, will be able to
walk right around those NTFS controls in a number of ways.

If you cannot trust those granted admin powers in your
infrastructure then you have the wrong people.

The technology based solutions to this (in any operating system)
can raise the bar, perhaps beyond the ability of unscrupulous
staff to hurdle. But, ultimately there is someone in the admin
staff that could get around the controls of the more expensive
technologies one could apply.


"Eric" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2966B8D5-740C-4C08-ADE7-D93E55BA2F1F@xxxxxxxxxxxxxxxx
I am tasked with an interesting security project. I have a network with
about 250 users and we require the users to give passwords to computer
administrators for setting up and testing the user's workstation. My
accounting department wants to print a copy of each users payroll check
into
a directory that only the user and CFO can access. Taking into
consideration
that IT has a password list the security is compromised for this one
directory. Is there a way to setup up password security on a folder and
to
let the user of the folder assign a password to it? I am thinking this
would
have to be outside of active directory. Any suggestions would be
appreciated.


Eric Olsen




.

Relevant Pages

  • Re: Folder security question
    ... Setting CFO and user as only allowed accounts per folder, ... and having private from IT staff all passwords for local admin ... staff to hurdle. ...
    (microsoft.public.windows.server.security)
  • RE: local admin account password
    ... Subject: local admin account password ... > 4) Only use domain accounts so delete the local ones. ... > The DB file would be encrypted with EFS so only the limited user SQL ... > backup user can make a zip backup of the DB whenever it gets changed ...
    (Focus-Microsoft)
  • RE: local admin account password
    ... Say you have more then 1000 systems, how do you handle the local admin ... Only use domain accounts so delete the local ones. ... The DB file would be encrypted with EFS so only the limited user SQL ... There would be basically two stored procs, ...
    (Focus-Microsoft)
  • local admin account password
    ... Only use domain accounts so delete the local ones. ... 5)My main idea/plan is to store all the passwords on a central SQL server. ... This way you can easily have a different random passwords for the admin ... There would be basically two stored procs, ...
    (Focus-Microsoft)
  • Re: Admin vs limited user account
    ... properly with limited user account (it does work fine with admin users). ... Quite simply, the application doesn't "know" how to handle individual user profiles with differing security permissions levels, or the application is designed to make to make changes to "off-limits" sections of the Windows registry or protected Windows system folders. ... "If your game or application works with admin accounts, but not with limited accounts, you can fix it to allow limited users to access the program files ...
    (microsoft.public.windowsxp.security_admin)