(Possible) Rogue Domain Admin: How to control / monitor access?

My company has a Windows 2000 domain with various member servers including a NAS running Appliance Server 2003.

By company policy there are two people that have Domain Administrator level access, myself and one other.  Based on some comments he's made recently I suspect that he's been digging into files on the NAS that shouldn't be seen by him.  I did explicitly deny him access on some shares, but as a domain admin he can simply reset the permissions.

My question is how to monitor his activities and how to prevent his access to sensitive files?


Thanks!
roberts0909Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
take away domain admin priviliges. No matter what you do, he can break it with enough persistance
0
Netman66Commented:
Agreed.

Remove Domain Admin rights and Delegate the rights he needs.  This will only allow him to do whatever it is you've allowed.
0
e_vanheelCommented:
You could also turn on logging in the file system or login for the NAS.  This would you to setup auditing and monitor the log files.  

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx

Look at the audit sections
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

Brian PiercePhotographerCommented:
Make sure that the nooo genuine administrators use the 'Adiminstrator' logon. Create individual accounts for all administrators and grant them the required rights. Rename the real 'Administrator' account and give it a long complex password. Write down the new administrator account name/password and store them in the safe or similar secure placed for use in an emergency.

Switch on Auditing either by amending. To audiit permission chnages you need to enable auditing for successful object access events, either by amedind the local machine policy or by using  a group policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy to record Success.

To enable auditing of particular folders, open each folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. You want to monitor only for a successful change an object's ACL. Add or ammend the Everyone group and in the  Audit Entry for the folder make sure that the 'Change permissions'  option is selected of the folder. By aditing 'Everyone' you will be able to track whenever anyone changes the permissions - enen if they subsequently chnage them back.
0
Brian PiercePhotographerCommented:
Don't know what happend there - i'll try again:
Make sure that no genuine administrators use the 'Adiminstrator' logon. Create individual accounts for all administrators and grant them the required rights. Rename the real 'Administrator' account and give it a long complex password. Write down the new administrator account name/password and store them in the safe or similar secure placed for use in an emergency.Do not use it routinely.

Switch on Auditing. To audiit permission changes you need to enable auditing for successful object access events, either by ameding the local machine policy or by using  a group policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy to record Success for Object Access.

To enable auditing of particular folders, open each folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. You want to monitor only for a successful change an object's ACL. Add or ammend the Everyone group and in the  Audit Entry for the folder make sure that the 'Change permissions'  option is selected of the folder. By aditing 'Everyone' you will be able to track whenever anyone changes the permissions - even if they subsequently chnage them back.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
roberts0909Author Commented:
Thanks all!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.