Re: How can admin not have access to certain shares?

From: DaveMo <david.mowers@xxxxxxxxx>
Date: Thu, 21 Feb 2008 08:23:09 -0800 (PST)

On Feb 21, 7:36 am, Leythos <v...@xxxxxxxxxxx> wrote:

In article <7a2dcc1d-2c71-4e9a-a6c3-1b2514b2fdb6@
71g2000hse.googlegroups.com>, david.mow...@xxxxxxxxx says...

Through a combination of setting the
correct policy (no access for admins) and then monitoring the systems
so that the policy does not change, you can achieve the desired
compliance level for your systems.

Actually, that does not meet the requirement - the requirement was to
block access by Admins to a share/file/folder/etc...

It can not be done.

Yes, you can provide a log that the violation has happened, but you can
not stop it.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999f...@xxxxxxxxxx (remove 999 for proper email address)

I don't think that you are accurately representing the problem and/or
possible solutions. Given that there are fundamental issues with
keeping an admin from doing anything on his box, this does not mean
that there aren't things you can do to make a system more secure or
more compliant. Doing something is almost always better from both a
security and compliance perspective then doing nothing at all.
Compliance inspections are never binary in either their goals or their
results. Since no system is ever completely protected no company would
ever pass a security audit if the requirement was to provide bullet
proof security.

In summary, adding systems that provide monitoring and policy
enforcement will definitely tend to make an organization more likely
to be found "in compliance" then doing nothing at all.

This is, of course, the view of a system implementor. If there are
compliance folks out there who would like to comment, their
contributions would be welcome.

Dave
.

Follow-Ups:
- Re: How can admin not have access to certain shares?
  - From: Leythos

References:
- How can admin not have access to certain shares?
  - From: bobm3
- Re: How can admin not have access to certain shares?
  - From: DaveMo
- Re: How can admin not have access to certain shares?
  - From: Leythos

Prev by Date: Re: How can admin not have access to certain shares?
Next by Date: Re: can I connect to an external server using a local account?
Previous by thread: Re: How can admin not have access to certain shares?
Next by thread: Re: How can admin not have access to certain shares?
Index(es):
- Date
- Thread

Relevant Pages

Re: Password Audit
... I should add that I know of no way to audit the passwords themselves (check ... Richard Mueller ... Complex password policy restrict the password to include more ... all in compliance. ...
(microsoft.public.windows.server.active_directory)
Re: Password Audit
... Thank you Richard, although I don't want all the passwords expiring at once. ... Complex password policy restrict the password to include more then 3 ... First - after the policy is in place requiring complex passwords, ... compliance. ...
(microsoft.public.windows.server.active_directory)
Re: Password Audit
... password complexity requirement via domain-level group policy and then ... First - after the policy is in place requiring complex passwords, ... are currently not in compliance but are not due to have their password ...
(microsoft.public.windows.server.active_directory)
RE: Highlighting weak password dangers
... "There is no reason for using brute-force for policy compliance." ... The problem here is that when connected to domain, the Account ...
(Security-Basics)
Re: How can admin not have access to certain shares?
... correct policy and then monitoring the systems ... security and compliance perspective then doing nothing at all. ... admin access you have access to everything and there is no way to change ...
(microsoft.public.windows.server.security)