SBS2003 - Restricting an Adminsitrator Account from accessing files on Sharepoint

I am the DIrector of a small consultancy company. As such I am storing certain sensitive information on my SBS2003 Server. This currently resides in a Sharepoint Site which can only be accessed by certain key users (the Company Directors) and these are assigned as yusers to the SHarepoint Site. I do not want any other users to access the site at all.

I would also like to setup certain users (non-Directors) with Adminsitrative Accounts to allow them to performed configuration  of VPNs, Exchange, and much of the networking as well as remote access to the Server from outside our internal LAN via RWW.

At present I can only seem to create a user as an Admin Account which means they get full rights to the Server and access to the sensitive data Folder or conversely as a Mobile User in which case they get no rights to performing network configuration (running Server Manageent) nor accessing the Server console from a remote location.

Having read a little around the subject, I think there must be a way to limit the Adminsitrative rights of a user perhaps using Group Policies or Security Groups. However, none of the literature seems to be very clear on what permissions I need to set and what not and whether i need to sue policies or not.

Would be grateful for any help in this area.


Eliot Minn
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There is not much you can do to restrict administrators. Even if you deny access to data folders, they will be able to overwrite it.

The best and recommended approach will be to create non-admin users and then give the specific rights to perform the function that they require.

The other option would be to move the sensitive data to a different machine which is not part of your Active Directory, and then give access to only those users who need it.

It is not a shortcomming of the Operating system, the reasoning is that administrators are suppose to perform all operations on the system so nothing is out of their reach.
e2e01Author Commented:
Thanks for your suggestion.

However, my problem is that in there does not seem to be any halfway house betweenan Administratorprofile or a basic mobile user.

Is there any documentation that you know of which explains what functionality each of the Groups and Security Groups actually provide as opposed to the one line description for each Group?

It would also seem that the only way of a user being able to log into the Server console remotely through RWW is if the user is a Power user or Admin User.

What I require is more granularity of user permissions instead of an all or nothing approach.

Take the point about moving teh senistive data to another machine but this will be the fallback situation.
There is lot of documentation that you will need to study before you can create the kind of groups which will serve your purpose. The way Microsoft has addressed this issue is with builtin group, which in your case are not very helpfull.

RWW does work without being a Power User or Admin user, if users are member of Remote Web Workplace Users, they should be able to login to the website.

I would suggest start with minimal permissions and access to RWW on a New security group. Once they are able to connect, see what are the resources they need to manage. Then start working on the first resource by giving them access to that resource only. It is going to be a time consuming process, but since you require a custom solution, you will have to invest time in it, or outsource it to a third party who have good experience in these jobs.

Another option is to give them Admin access, but keep event logs in place. Deny them access to sensitive information. This will allow you to monitor if they attempt to access any of it.

If you do not want to isolate the data to another machine, one other option that is deployed in certain situations is encrypting the sensitive information. EFS is one way to go, or you can try third party tools. This again would require some understanding of the architecture, and recover of lost keys is very important factor to consider.
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

Domain admin can see everything in a SharePoint server, so isolating the system and the files won't do you much good.

Is there a central SharePoint admin?
Have they signed a confidentiality agreement?

We maintain a secure site and all of the admins have signed special agreement forms to manage it.

Second, we gave the Web masters the only special access and processes to specially encrypt very sensitive files before they are placed on the SharePoint site.

You can use just about any self-extracting encryption software to do this, but we use software like Zip2Secure with AES and have the Web masters encrypt the defined sensitive files.

You can give your Directors the special passcodes to unlock and extract the files that they obtain from SharePoint.

You also need to map out what portions of data belong in an unencrypted portion of the site and what needs to be encrypted.
Build SPS/WSS (SharePoint) to have these different portals.

Again, remember that your domain admins can see everything on the SharePoint site, even if you don't give them access in SharePoint. They are domain admins.
e2e01Author Commented:
What I would like is the ability forthe specific Network Adminsitrators to be able to log into the SBS Server Console remotely but not have access to the specific web-site with sensitive information on.

The use of encryption Zip2Secure whilst an interesting one would seem to limit the usefulness of Sharepooint versioning etc. something we use on the site.

Auditing of users access ot the site whilst providing tracing of suspects will not limit access to sensitive data which is what we are more worried about.

What I wanted was really a list of the Security Groups and what permissions they provide. Does anybody know where I can obtain this list.

Administrator, on Windows systems, is like root, on UNIX systems, and both accounts have complete access to all applications unless the application has specific security rights.

Oracle and SQL server have special application permissions that do not allow Administrator from using the application.

Unfortunately, SharePoint and IIS do not have these special permissions to do what you are asking.
You wrote:
"What I wanted was really a list of the Security Groups and what permissions they provide. Does anybody know where I can obtain this list."

This does not exist in SharePoint SPS or WSS.

The following are the accounts that you can set up:
 Reader - Has read-only access to the Web site.
 Contributor - Can add content to existing document libraries and lists.
 Web Designer - Can create lists and document libraries and customize pages in the Web site.
 Administrator - Has full control of the Web site.

Again, is someone is a Domain Admin, they can logon to your site and read/download anything they want.

The user groups are not protected by any additional application security measures.

This is a security flaw designed as a feature in SharePoint unfortunately.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
e2e01Author Commented:
My question has been answered in that:

There seems to be no way in giving a Domain User access to the Windows 2003 Server at an Operator/Systems adminsitrator level (e.g. Server management program) without giving them Admin rights and hence the ability to see all Sharepoint sites hosted on the domain.

Many thanks for confirmation that what I am trying to do would appear not to be possible.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.