?
Solved

Restrict Administrator from Access Including Taking Ownership

Posted on 2006-12-01
10
Medium Priority
?
363 Views
Last Modified: 2008-02-01
I am the IT admin for a company.  The owner of the company wants to completely restrict his user folder to only himself - not even the administrator account is to have access - he very serious about this.  I made him the only user in the folder's ACL with full control permissions.  Administrators are no longer able to open his folder or access permissions on the folder, but they are still able to take owenship of the folder.  This leaves a security hole that he finds unacceptable, since there are a couple of admins at the company that have access to this account.

I tried adding the administrator account and administrators groups to his folder ACL with deny permissions for take ownership and change permissions, but I can still login as Administrator and take ownership of his folder and then view its contents.  He is unwilling to have this be possible and wants a solution ASAP.  Any help would be appreciated.  Thank you in advance for your help.
0
Comment
Question by:dpribyl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 336 total points
ID: 18058903
You can not lock out administrator on NTFS. You can even take disk from one workstation in workgroup put it in another, logon as completly different administrator and take ownership of whole directory structure.

Appropriate solution for your scenario would be Encrypted File System. But EFS should not be used without Recovery Agents - usually that role belongs to administrator.

That is why I would suggest another solution: TrueCrypt.
0
 
LVL 2

Assisted Solution

by:nitsud01
nitsud01 earned 332 total points
ID: 18059944
Agreed, you'll likely have to use a third-party app to gain the functionality you require as I don't believe it to be native to NTFS....  

And, though I've never really used it before, TrueCrypt sounds like a good choice... I'll have to try it out!

I've used Steganos Safe in the Steganos Security Suite to accomplish the same purpose before.... But, it looks like the open-source, free, TrueCrypt does all the same things, though I'm not sure how the encryption strength between the two apps compare...

If your boss needs the highest encryption available, you might want to compare the strengths of the two volume encryption apps....

Steganos Safe uses AES 256bit encryption (https://www.steganos.com/en/products/safe2007/)

wheras

TrueCrypt uses AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish? I'm not sure exactly if there is a choice between encryption types or if it uses combinations of the encryption technologies..... Maybe toniur can help with that answer...

Hope that info helps!
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 332 total points
ID: 18060126
The administrator always needs to have access to the folders, even if they have been locked out via permissions and it is a change to the ownership to get back in.
Are these folders being backed up? If you don't allow access then they will not be backed up.

However, you know what the owner of the company is really saying though? He doesn't trust you.

Even you encrypt the contents, you still need a back door. What happens if the owner has stored some very critical information in there that is vital to the operation of the business and then gets hit by a bus?

While I am all for security, you are actually creating more security problems by trying to lock everyone but a single individual out of folders. That provides a single point of failure.

Simon.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18060895
TrueCrypt can use single encryption algorithm or combination of two or three algorithms.

To Sembee:  NTFS permissions have nothing to do with ability to backup flies. You can assign yourself explicit deny permission and you will still be able to backup files as Administrator.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18061003
That all depends on what account is being used for backups.
If all permissions have been stripped to the single user account, then the backups will fail. You would need to have backup operator privileges. However that would then introduce a security hole that the company owner may not find acceptable. What is to stop someone from taking the backup, restoring to another location then taking ownership? Absolutely nothing.

Simon.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18061022
I hope that we are on the same side here: User right: "Back up files and directories" overrides NTFS (deny)  permissions and even EFS. That was my point. User right: "Restore files and directories" enables you to restore anything from backup, but you will not be able to acces such files (NTFS deny or EFS) after they are restored.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 18061198
I am aware of that permission.
What is to stop someone though from restoring those files, then taking ownership of the files and getting access?

If I have physical access to the server then it is game over from a file access point of view. On the original poster's question, as far as I am concerned, if someone doesn't want an administrator to access the files, don't store the files on the server.

Simon.
0
 
LVL 16

Expert Comment

by:Kevin Hays
ID: 18061563
I have to agree with Sembee here, he just doesn't trust you or anyone else.  Get him a computer/laptop for his personal use and don't let him get on the network with it.

Not much else you can really do.  Getting truecrypt may be an option, but can you justify implementing that in your network just because of one person?

My philosophy is to limit the number of administrators in my domain to just me and that is it.  If someone needs to do an administrative tasks then I delegate it to them.  I don't want any admins running around my domain except me :D

kevin
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question