|
Posted by M.J.Leidekker on January 24, 2006, 6:37 am
Please log in for more thread options Ondrej Sevecek wrote:
> First, be sure when anybody has any ability other then the pure USERS
> group, he can do just anything with the system he wants. The only
> thing you can do with this is to log everything and make them sign
> statemets that prevent them from the malitious actions.
>
> To your question:
>
> First, you can explicitly deny access to the files for
> administrators. The problem with this would be the adminstrator's
> possibility to *take ownership* and when one have ownership, he can
> change permissions. But you could audit access to the files so that
> you have information about the malitious admins accessing the files.
> Also, you could prevent them from accessing the server at all. They
> also should sign a statement that would prevent them from access.
>
> The other method is to encrypt the files with EFS (simply right click
> the file or folder and select *encrypt contents to secure data*). But
> be sure to know all the problems that arrise with the EFS encryption,
> especially on remote shared folders. This EFS requires some PKI
> features and is not so simple to implement. Some problem with the
> EFS will be the feature called "EFS Recovery Agents" that can be
> installed by domain administrators. The recovery agent can read and
> decrypt all the content. Again, you can restrict who can assign the
> recovery agents and again, you cannot physically prevent admins from
> doing it indirectly. But again, you can log everything and then
> penalize them when the rule is crossed.
>
> Also, there is a number of "transparent" encryption systems that can
> transparently encrypt files with users inserting passwords of their
> own when the file is accessed. The file is then transparently
> decrypted without an impact on application. But be sure to check with
> the vendor what exactly they support, if they support remote files,
> if the encrypion is really transparent, if it is file level
> encryption or a "virtual disk" encryption (the system would create a
> file that would show up as a virtual disk volume) or the whole disk
> encryption, if it supports more than one user etc.
>
>
> O.
>
>
>
>
>
> > Working in a company with a windows 2000 domain controller, and a
> > windows 2003 server, the financial department asked me if it is
> > possible to put files on the network and deny every administrator
> > access to these files.
> >
> > Backup's of these files are made by the financial department, so
> > there is no need for the backup operator to access these files.
> > Giving them ownership of the files is not enough for them, because
> > every administrator can take back the ownership.
> >
> > Using zip or rar to encrypt these files is not workable because the
> > finacialsoftware must be able to read/write to these files.
> >
> > Tia,
> > MJL
> > --
Many thanks for your information, I will check if EFS or transparent
ecryption with third party software is an option for the financial
department.
--
| 
XML Sitemap