Re: How can admin not have access to certain shares?
- From: "Anthony [MVP]" <anthony@xxxxxxxxxxxx>
- Date: Mon, 25 Feb 2008 10:29:03 -0000
I think that's a bit over the top.
In the real world, I am guessing that perhaps a business owner or director
is hiring a system administrator but wants to have some data that is
private. It could be the Finance Director. The question is, can this be done
within a domain? The answer that I and others have given is:
- You can remove access, but the admin can take it back
- You can audit access, but the admin can change the auditing.
So if you really don't want the admin to have access to the data you need to
store it outside of the domain he is administering. For example, on a
workstation. Then back up the workstation.
Anthony
http://www.airdesk.co.uk
"Al Dunbar" <AlanDrub@xxxxxxxxxxxxxxxxxxx> wrote in message
news:%231HuGXxdIHA.4260@xxxxxxxxxxxxxxxxxxxxxxx
"Anthony [MVP]" <anthony@xxxxxxxxxxxx> wrote in message
news:%23ICbOwMdIHA.2404@xxxxxxxxxxxxxxxxxxxxxxx
If you want data to be outside the scope of a domain administrator, it is
fairly obvious that you need to put the data outside the domain.
Brilliant! But then what is the security environment of this data
repository that is outside the domain? Is it another domain with a
different set of administrators? Is it a SAN device on the network? Is it
a vault containing the data on magnetic media or printed reports?
And if the data is ever processed by any machine actually *on* the
network, what process ensures that it is inaccessible to anyone other than
the authorized user while in use, and fully deleted once he files the
results away in that magical non-domain world?
You can certainly use such techniques to keep system admins from having
any sort of access to the information. But I am not convinced that the
data itself will become any more secure from unauthorized access in
general as a result.
Auditing the data so that you are alerted when someone accesses it is
different. It is like putting the burglar in charge of setting the alarm.
If that is truly the case, then we must immediately stop all auditing of
security events, as this has no place in securing our data. Much better to
hide the data in a sock in the mattress in your spare bedroom where you
cannot possibly audit the situation, and can therefore be sure that no
knowledge will ever come your way of its having been accessed. In a
nutshell, you will have then proven it is perfectly safe.
/Al
Anthony
http://www.airdesk.com
"Leythos" <void@xxxxxxxxxxx> wrote in message
news:MPG.222775611d99c0d2989a6e@xxxxxxxxxxxxxxxxxxxx
In article <1a3d0a6f-760d-4fbd-b134-cad4303349c3
@z17g2000hsg.googlegroups.com>, david.mowers@xxxxxxxxx says...
On Feb 21, 7:36 am, Leythos <v...@xxxxxxxxxxx> wrote:
In article <7a2dcc1d-2c71-4e9a-a6c3-1b2514b2fdb6@
71g2000hse.googlegroups.com>, david.mow...@xxxxxxxxx says...
Through a combination of setting the
correct policy (no access for admins) and then monitoring the
systems
so that the policy does not change, you can achieve the desired
compliance level for your systems.
Actually, that does not meet the requirement - the requirement was to
block access by Admins to a share/file/folder/etc...
It can not be done.
Yes, you can provide a log that the violation has happened, but you
can
not stop it.
I don't think that you are accurately representing the problem and/or
possible solutions. Given that there are fundamental issues with
keeping an admin from doing anything on his box, this does not mean
that there aren't things you can do to make a system more secure or
more compliant. Doing something is almost always better from both a
security and compliance perspective then doing nothing at all.
Compliance inspections are never binary in either their goals or their
results. Since no system is ever completely protected no company would
ever pass a security audit if the requirement was to provide bullet
proof security.
In summary, adding systems that provide monitoring and policy
enforcement will definitely tend to make an organization more likely
to be found "in compliance" then doing nothing at all.
This is, of course, the view of a system implementor. If there are
compliance folks out there who would like to comment, their
contributions would be welcome.
Dave, I work for many clients, and many of them have to provide SOX or
other compliance proof.
The simple fact is that no matter how you dice it up, if you have domain
admin access you have access to everything and there is no way to change
that.
Yes, logging can show that an admin violated security, but that doesn't
change the specifics - the admin has access to anything they want access
to, period.
Your Usenet client is broken, it's not properly clipping signature lines
when you reply.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.
- Follow-Ups:
- Re: How can admin not have access to certain shares?
- From: DaveMo
- Re: How can admin not have access to certain shares?
- References:
- How can admin not have access to certain shares?
- From: bobm3
- Re: How can admin not have access to certain shares?
- From: DaveMo
- Re: How can admin not have access to certain shares?
- From: Leythos
- Re: How can admin not have access to certain shares?
- From: DaveMo
- Re: How can admin not have access to certain shares?
- From: Leythos
- Re: How can admin not have access to certain shares?
- From: Anthony [MVP]
- How can admin not have access to certain shares?
- Prev by Date: Re: Deploying Active Directory Users and Computers?
- Next by Date: Re: How can admin not have access to certain shares?
- Previous by thread: Re: How can admin not have access to certain shares?
- Next by thread: Re: How can admin not have access to certain shares?
- Index(es):
Relevant Pages
|
