Click here to get back home

How can admin not have access to certain shares?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How can admin not have access to certain shares? bobm3 02-16-2008
Posted by Roger Abell [MVP] on February 17, 2008, 3:19 am
Please log in for more thread options
 There is a fine line between "not have access" and
"not able to access" as prior posts have indicated.
Is it just a policy that the admins should not have ability
to simply browse into the shared areas, i.e. that things
are not "good for the go" as set ? Or is the requirement
that it be impossible for system admins to every access?

If the first just do not grant Administrators group any
access (stay away from using deny, just don't grant).
If the second there is no way execpt storing on a machine
that those people have no rights to access or storing using
rights management such that the admins cannot recover.

Roger

> Gents;
>
> We have a compliance issue where our system admin is not supposed to
> have access to certain shares.
>
> Any ideas as to how we can accomplish this seemingly mutually
> exclusive feat?
>
> Thanks



Posted by DaveMo on February 20, 2008, 10:09 am
Please log in for more thread options
 On Feb 16, 9:36=A0am, bo...@worthless.info wrote:
> Gents;
>
> We have a compliance issue where our system admin is not supposed to
> have access to certain shares.
>
> Any ideas as to how we can accomplish this seemingly mutually
> exclusive feat?
>
> Thanks =A0

As others have commented, you can take away the right for the
administrato to access something on the box, but you can't keep it
away if they really want to do something. You can, however, monitor
the proper access levels through a solution like we offer (shameless
plug: www.securitay.com/spm) and/or use of Microsoft's (or other)
event log collection system. Through a combination of setting the
correct policy (no access for admins) and then monitoring the systems
so that the policy does not change, you can achieve the desired
compliance level for your systems.

HTH,
Dave

Posted by Leythos on February 21, 2008, 10:36 am
Please log in for more thread options
In article <7a2dcc1d-2c71-4e9a-a6c3-1b2514b2fdb6@
71g2000hse.googlegroups.com>, david.mowers@gmail.com says...
> Through a combination of setting the
> correct policy (no access for admins) and then monitoring the systems
> so that the policy does not change, you can achieve the desired
> compliance level for your systems.

Actually, that does not meet the requirement - the requirement was to
block access by Admins to a share/file/folder/etc...

It can not be done.

Yes, you can provide a log that the violation has happened, but you can
not stop it.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Posted by DaveMo on February 21, 2008, 11:23 am
Please log in for more thread options
> In article <7a2dcc1d-2c71-4e9a-a6c3-1b2514b2fdb6@
> 71g2000hse.googlegroups.com>, david.mow...@gmail.com says...
>
> > Through a combination of setting the
> > correct policy (no access for admins) and then monitoring the systems
> > so that the policy does not change, you can achieve the desired
> > compliance level for your systems.
>
> Actually, that does not meet the requirement - the requirement was to
> block access by Admins to a share/file/folder/etc...
>
> It can not be done.
>
> Yes, you can provide a log that the violation has happened, but you can
> not stop it.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> =A0 drug dealer an "unlicensed pharmacist"
> spam999f...@rrohio.com (remove 999 for proper email address)

I don't think that you are accurately representing the problem and/or
possible solutions. Given that there are fundamental issues with
keeping an admin from doing anything on his box, this does not mean
that there aren't things you can do to make a system more secure or
more compliant. Doing something is almost always better from both a
security and compliance perspective then doing nothing at all.
Compliance inspections are never binary in either their goals or their
results. Since no system is ever completely protected no company would
ever pass a security audit if the requirement was to provide bullet
proof security.

In summary, adding systems that provide monitoring and policy
enforcement will definitely tend to make an organization more likely
to be found "in compliance" then doing nothing at all.

This is, of course, the view of a system implementor. If there are
compliance folks out there who would like to comment, their
contributions would be welcome.

Dave

Posted by Leythos on February 21, 2008, 11:48 am
Please log in for more thread options
In article <1a3d0a6f-760d-4fbd-b134-cad4303349c3
@z17g2000hsg.googlegroups.com>, david.mowers@gmail.com says...
> > In article <7a2dcc1d-2c71-4e9a-a6c3-1b2514b2fdb6@
> > 71g2000hse.googlegroups.com>, david.mow...@gmail.com says...
> >
> > > Through a combination of setting the
> > > correct policy (no access for admins) and then monitoring the systems
> > > so that the policy does not change, you can achieve the desired
> > > compliance level for your systems.
> >
> > Actually, that does not meet the requirement - the requirement was to
> > block access by Admins to a share/file/folder/etc...
> >
> > It can not be done.
> >
> > Yes, you can provide a log that the violation has happened, but you can
> > not stop it.
> >
>=20
> I don't think that you are accurately representing the problem and/or
> possible solutions. Given that there are fundamental issues with
> keeping an admin from doing anything on his box, this does not mean
> that there aren't things you can do to make a system more secure or
> more compliant. Doing something is almost always better from both a
> security and compliance perspective then doing nothing at all.
> Compliance inspections are never binary in either their goals or their
> results. Since no system is ever completely protected no company would
> ever pass a security audit if the requirement was to provide bullet
> proof security.
>=20
> In summary, adding systems that provide monitoring and policy
> enforcement will definitely tend to make an organization more likely
> to be found "in compliance" then doing nothing at all.
>=20
> This is, of course, the view of a system implementor. If there are
> compliance folks out there who would like to comment, their
> contributions would be welcome.

Dave, I work for many clients, and many of them have to provide SOX or=20
other compliance proof.

The simple fact is that no matter how you dice it up, if you have domain=20
admin access you have access to everything and there is no way to change=20
that.

Yes, logging can show that an admin violated security, but that doesn't=20
change the specifics - the admin has access to anything they want access=20
to, period.

Your Usenet client is broken, it's not properly clipping signature lines=20
when you reply.

--=20

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a=20
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Similar ThreadsPosted
admin shares and security February 27, 2006, 10:30 am
Admin shares no longer accessible for users not in domain admins April 22, 2006, 8:09 am
user cannot access shares October 21, 2005, 12:30 pm
Re: user cannot access shares October 25, 2005, 10:23 pm
Trusted NT domain users have full access to 2K3 server shares January 23, 2007, 6:51 am
Shares, Named Pipes, and Registry for Anonymous Remote Access February 23, 2007, 2:24 am
Remote event viewer access without being an admin? April 28, 2008, 5:04 pm
Re: Admin access to roaming profiles (existing folders) November 19, 2007, 11:32 am
Re: Admin access to roaming profiles (existing folders) November 19, 2007, 11:20 am
Shares$ December 14, 2005, 3:14 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap