dpribyl
asked on
Restrict Administrator from Access Including Taking Ownership
I am the IT admin for a company. The owner of the company wants to completely restrict his user folder to only himself - not even the administrator account is to have access - he very serious about this. I made him the only user in the folder's ACL with full control permissions. Administrators are no longer able to open his folder or access permissions on the folder, but they are still able to take owenship of the folder. This leaves a security hole that he finds unacceptable, since there are a couple of admins at the company that have access to this account.
I tried adding the administrator account and administrators groups to his folder ACL with deny permissions for take ownership and change permissions, but I can still login as Administrator and take ownership of his folder and then view its contents. He is unwilling to have this be possible and wants a solution ASAP. Any help would be appreciated. Thank you in advance for your help.
I tried adding the administrator account and administrators groups to his folder ACL with deny permissions for take ownership and change permissions, but I can still login as Administrator and take ownership of his folder and then view its contents. He is unwilling to have this be possible and wants a solution ASAP. Any help would be appreciated. Thank you in advance for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That all depends on what account is being used for backups.
If all permissions have been stripped to the single user account, then the backups will fail. You would need to have backup operator privileges. However that would then introduce a security hole that the company owner may not find acceptable. What is to stop someone from taking the backup, restoring to another location then taking ownership? Absolutely nothing.
Simon.
If all permissions have been stripped to the single user account, then the backups will fail. You would need to have backup operator privileges. However that would then introduce a security hole that the company owner may not find acceptable. What is to stop someone from taking the backup, restoring to another location then taking ownership? Absolutely nothing.
Simon.
I hope that we are on the same side here: User right: "Back up files and directories" overrides NTFS (deny) permissions and even EFS. That was my point. User right: "Restore files and directories" enables you to restore anything from backup, but you will not be able to acces such files (NTFS deny or EFS) after they are restored.
I am aware of that permission.
What is to stop someone though from restoring those files, then taking ownership of the files and getting access?
If I have physical access to the server then it is game over from a file access point of view. On the original poster's question, as far as I am concerned, if someone doesn't want an administrator to access the files, don't store the files on the server.
Simon.
What is to stop someone though from restoring those files, then taking ownership of the files and getting access?
If I have physical access to the server then it is game over from a file access point of view. On the original poster's question, as far as I am concerned, if someone doesn't want an administrator to access the files, don't store the files on the server.
Simon.
I have to agree with Sembee here, he just doesn't trust you or anyone else. Get him a computer/laptop for his personal use and don't let him get on the network with it.
Not much else you can really do. Getting truecrypt may be an option, but can you justify implementing that in your network just because of one person?
My philosophy is to limit the number of administrators in my domain to just me and that is it. If someone needs to do an administrative tasks then I delegate it to them. I don't want any admins running around my domain except me :D
kevin
Not much else you can really do. Getting truecrypt may be an option, but can you justify implementing that in your network just because of one person?
My philosophy is to limit the number of administrators in my domain to just me and that is it. If someone needs to do an administrative tasks then I delegate it to them. I don't want any admins running around my domain except me :D
kevin
To Sembee: NTFS permissions have nothing to do with ability to backup flies. You can assign yourself explicit deny permission and you will still be able to backup files as Administrator.