Solved

SBS2003 -  Restricting an Adminsitrator Account from accessing files on Sharepoint

Posted on 2006-07-16
8
306 Views
Last Modified: 2013-12-04
I am the DIrector of a small consultancy company. As such I am storing certain sensitive information on my SBS2003 Server. This currently resides in a Sharepoint Site which can only be accessed by certain key users (the Company Directors) and these are assigned as yusers to the SHarepoint Site. I do not want any other users to access the site at all.

I would also like to setup certain users (non-Directors) with Adminsitrative Accounts to allow them to performed configuration  of VPNs, Exchange, and much of the networking as well as remote access to the Server from outside our internal LAN via RWW.

At present I can only seem to create a user as an Admin Account which means they get full rights to the Server and access to the sensitive data Folder or conversely as a Mobile User in which case they get no rights to performing network configuration (running Server Manageent) nor accessing the Server console from a remote location.

Having read a little around the subject, I think there must be a way to limit the Adminsitrative rights of a user perhaps using Group Policies or Security Groups. However, none of the literature seems to be very clear on what permissions I need to set and what not and whether i need to sue policies or not.

Would be grateful for any help in this area.

Regards,

Eliot Minn
0
Comment
Question by:e2e01
  • 3
  • 3
  • 2
8 Comments
 
LVL 10

Expert Comment

by:naveedb
ID: 17117636
There is not much you can do to restrict administrators. Even if you deny access to data folders, they will be able to overwrite it.

The best and recommended approach will be to create non-admin users and then give the specific rights to perform the function that they require.

The other option would be to move the sensitive data to a different machine which is not part of your Active Directory, and then give access to only those users who need it.

It is not a shortcomming of the Operating system, the reasoning is that administrators are suppose to perform all operations on the system so nothing is out of their reach.
0
 

Author Comment

by:e2e01
ID: 17117720
Thanks for your suggestion.

However, my problem is that in there does not seem to be any halfway house betweenan Administratorprofile or a basic mobile user.

Is there any documentation that you know of which explains what functionality each of the Groups and Security Groups actually provide as opposed to the one line description for each Group?

It would also seem that the only way of a user being able to log into the Server console remotely through RWW is if the user is a Power user or Admin User.

What I require is more granularity of user permissions instead of an all or nothing approach.

Take the point about moving teh senistive data to another machine but this will be the fallback situation.
0
 
LVL 10

Expert Comment

by:naveedb
ID: 17117830
There is lot of documentation that you will need to study before you can create the kind of groups which will serve your purpose. The way Microsoft has addressed this issue is with builtin group, which in your case are not very helpfull.

RWW does work without being a Power User or Admin user, if users are member of Remote Web Workplace Users, they should be able to login to the website.

http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fen%2Ftranscripts%2Fwct010804.asp

I would suggest start with minimal permissions and access to RWW on a New security group. Once they are able to connect, see what are the resources they need to manage. Then start working on the first resource by giving them access to that resource only. It is going to be a time consuming process, but since you require a custom solution, you will have to invest time in it, or outsource it to a third party who have good experience in these jobs.

Another option is to give them Admin access, but keep event logs in place. Deny them access to sensitive information. This will allow you to monitor if they attempt to access any of it.

If you do not want to isolate the data to another machine, one other option that is deployed in certain situations is encrypting the sensitive information. EFS is one way to go, or you can try third party tools. This again would require some understanding of the architecture, and recover of lost keys is very important factor to consider.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 17122951
Domain admin can see everything in a SharePoint server, so isolating the system and the files won't do you much good.

Is there a central SharePoint admin?
Have they signed a confidentiality agreement?

We maintain a secure site and all of the admins have signed special agreement forms to manage it.

Second, we gave the Web masters the only special access and processes to specially encrypt very sensitive files before they are placed on the SharePoint site.

You can use just about any self-extracting encryption software to do this, but we use software like Zip2Secure with AES and have the Web masters encrypt the defined sensitive files.

You can give your Directors the special passcodes to unlock and extract the files that they obtain from SharePoint.

You also need to map out what portions of data belong in an unencrypted portion of the site and what needs to be encrypted.
Build SPS/WSS (SharePoint) to have these different portals.

Again, remember that your domain admins can see everything on the SharePoint site, even if you don't give them access in SharePoint. They are domain admins.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:e2e01
ID: 17126129
What I would like is the ability forthe specific Network Adminsitrators to be able to log into the SBS Server Console remotely but not have access to the specific web-site with sensitive information on.

The use of encryption Zip2Secure whilst an interesting one would seem to limit the usefulness of Sharepooint versioning etc. something we use on the site.

Auditing of users access ot the site whilst providing tracing of suspects will not limit access to sensitive data which is what we are more worried about.

What I wanted was really a list of the Security Groups and what permissions they provide. Does anybody know where I can obtain this list.





0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 17130855
Administrator, on Windows systems, is like root, on UNIX systems, and both accounts have complete access to all applications unless the application has specific security rights.

Oracle and SQL server have special application permissions that do not allow Administrator from using the application.

Unfortunately, SharePoint and IIS do not have these special permissions to do what you are asking.
0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 250 total points
ID: 17131230
You wrote:
"What I wanted was really a list of the Security Groups and what permissions they provide. Does anybody know where I can obtain this list."

This does not exist in SharePoint SPS or WSS.

The following are the accounts that you can set up:
 Reader - Has read-only access to the Web site.
 Contributor - Can add content to existing document libraries and lists.
 Web Designer - Can create lists and document libraries and customize pages in the Web site.
 Administrator - Has full control of the Web site.

Again, is someone is a Domain Admin, they can logon to your site and read/download anything they want.

The user groups are not protected by any additional application security measures.

This is a security flaw designed as a feature in SharePoint unfortunately.
0
 

Author Comment

by:e2e01
ID: 17163282
My question has been answered in that:

There seems to be no way in giving a Domain User access to the Windows 2003 Server at an Operator/Systems adminsitrator level (e.g. Server management program) without giving them Admin rights and hence the ability to see all Sharepoint sites hosted on the domain.

Many thanks for confirmation that what I am trying to do would appear not to be possible.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now