Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

possible to hide user data from Administrator?

Posted on 2003-03-16
15
Medium Priority
?
121 Views
Last Modified: 2010-04-13
I work on my own pc with an administrator account so that I can operate Internet Services Manager, since I use IIS to test webistes.

My boss wants me to use share a computer with him. Is there any way I will be able to manage the web server in order to test websites and yet be unable to access his data, which he would like to keep private? I will also be the only user who can  install programs.

Thanks in Advance.
0
Comment
Question by:Avikohl
  • 6
  • 4
  • 2
  • +2
15 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 8146402
Please specify who'm is sharing what:

1. Your boss wants to be able to read/modify everything on Your hard disc?
2. Your boss wants that You will be able to install programs on his hard disc?
3. On which disc is the IIS installed, Yours or Your boss's or a sepate server?
4. Are You member of Global Domain Admin Group?

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 8146446
what OS?
with w2k/XP Pro he can password protect and even encrypt his data
and he won't even need to be a member of the admin group
0
 
LVL 41

Expert Comment

by:stevenlewis
ID: 8146449
Doh, this Q is in the w2k area, so I'm guessing w2k
check out encryption in the help file
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
LVL 12

Expert Comment

by:trywaredk
ID: 8146476
AVIKOHL... Remember, if You choose to let Your boss password protect his files, that domain admins can't help, if Your boss forgets his password to these files.
0
 
LVL 3

Expert Comment

by:mfutty
ID: 8146658
Tell him not to surf sites that he doesn't want other people to see! (just kidding - couldn't resist)
0
 
LVL 1

Expert Comment

by:Mcscotsman
ID: 8147084
You can create two accounts:

Boss
Admin

Both could be adminstrators.

Boss logs in and creates a directory. Boss removes all users from directory's permissons except for boss (who has full control.) OR boss could deny access to user admin if he wants to keep other groups in. Boss should not deny access to administrators group. If boss is concerned with the data, then the data is worthy of being is backed up. He can also do the same for his profile directory.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8147270
MCSCOTSMAN...
"Both could be adminstrators."
"boss could deny access to user admin"

If both are administrators (members of local admin group) boss can't keep admin from anything
0
 
LVL 1

Expert Comment

by:Mcscotsman
ID: 8148260
Trywaredk-

Sorry, but denying the specific user "admin" will work. You know: "If admin is a member of the local administrator group and that group has been assigned read and write permissions for the specified folder- but admin has been specifically denied access- then what is admin's effective rights? Answer- Denied. Rights are cumulative- except when specifically denied.
0
 
LVL 1

Expert Comment

by:IanAtkin
ID: 8151116
How about using the Encrypted Filesystem?

You boss could simply encrypt the directory he wants secured. Only he could then read the files, regardless of the administrative permissions.

see:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

http://support.microsoft.com/default.aspx?scid=KB;en-us;q223316

Ian./
0
 
LVL 1

Expert Comment

by:IanAtkin
ID: 8151128
I see StevenLewis already mentioned EFS. Is this not an option?
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 150 total points
ID: 8154437
MCSCOTSMAN... "Rights are cumulative- except when specifically denied."

Yes and being member of the local admin group means that You can disable this setting again.

Local admin group means what it says. Members can do what they like, and You can't do anything about that with NTFS permissions.
0
 
LVL 1

Expert Comment

by:Mcscotsman
ID: 8154548
trywareddk-

My parachute was not fully deployed.
0
 
LVL 1

Expert Comment

by:Mcscotsman
ID: 8154581
trywareddk-

My parachute was not fully deployed.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8154741
;o) MCSCOTSMAN... Install more RAM
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 8438590
:o) glad I could help you

BTW - Be carefull with the local admin group

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER add a Domain User Group to the Local Admin Group on each workstation.

And You must NEVER add the same Domain User to the Local Admin Group on more than his/hers own workstation

If You add a Domain User Group to the Local Admin Group, every member of this Domain User Group gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)


IF YOU WANT TO KNOW MORE ABOUT THIS ISSUE:
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734



IF YOU WANT TO TEST IT:
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

Please reply, when You have removed the Domain User Group from the Local Admin Group again!


Many Regards

Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
"Day by day nothing changes but when u look back, everything is different". That quote precisely describes today’s digital era. For example, you may not have noticed the change, but Voice Search is now all around us.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question