Solved

securing HR users home drives

Posted on 2016-08-10
5
26 Views
Last Modified: 2016-08-19
Hello.

I'm trying to figure out a way to secure HR/management users home drives. Currently we have the HR users home drives on the file and print server along with the rest of the users. this is a security risk because any admin with access will be able to get in there and snoop around. I'm wondering how other companies secure the HR users home drives on the network. Any input or suggestion will be greatly appreciated. Don't forget, we can't just take there server containing their home drives off of the network because backups have to occur as well.
0
Comment
Question by:Newguy 123
5 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 500 total points
ID: 41751056
One important detail is that whoever administer the data needs to be a trusted person. If the current admin is not trusted for that then in HR area you will need to have someone administering specifically that data (server or any other that it could imply).

There is also something more... let's call it 'reactive', it is the audit systems that is in place. Systems are suppose to track all the accesses and operations made with sensible data.

The big organizations they have their own IT guys inside the HR department, small companies trust the administrator, because that is the only way that the administrator can protect the data in all the layers.

One approach that you can use, is something like 'partial' security, where HR can use protection at other security layers, such as file encryption, keep the information inside a DB that encrypts the information and just RD have access to this interface... but again... it means that HR will be administering these layers, and not the administrator.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 41751060
Your admins MUST be trusted or they shouldn't be your admins.  PERIOD.

Any admin can gain access to the data at any time.  PERIOD.  They have to to properly administer the server.  You can block "casual" and "accidental" views by removing the domain admins group from the list of users who can access the folders, but admins can always take ownership of the files.

You can encrypt the files using EFS or other means but be careful as losing the encryption keys can permanently lose the data.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 41751070
Its all about permissions, you can give or take away access to any user and/or group.

If their all in the same folder structure and you have admins you don't want to go poking around then you can assign only certain admins that get access (always need at least one). I usually setup a group and then add those i want to have access to the group then apply it to the folder structure.
0
 
LVL 4

Expert Comment

by:Laroy Shtotland
ID: 41751192
Don't mess with your admins, but if you dare, learn how to use encryption first. Microsoft built-in BitLocker or EFS is easy and secure enough.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 41752074
If your the one who decides which admins get access to what areas of your system then your not messing with them your delegating responsibility. Just because they are an admin doesn't mean they get unrestricted access to everything. It's irresponsible to do that. if they don't need access then you don't give it to them. If you setup EFS an you have a slow net you'll see a performance hit, if it's encrypted then it will need to be decrypted, so users who access a lot of  files may notice some slowness.
0

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now