Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

securing HR users home drives

Posted on 2016-08-10
5
Medium Priority
?
46 Views
Last Modified: 2016-08-19
Hello.

I'm trying to figure out a way to secure HR/management users home drives. Currently we have the HR users home drives on the file and print server along with the rest of the users. this is a security risk because any admin with access will be able to get in there and snoop around. I'm wondering how other companies secure the HR users home drives on the network. Any input or suggestion will be greatly appreciated. Don't forget, we can't just take there server containing their home drives off of the network because backups have to occur as well.
0
Comment
Question by:Newguy 123
5 Comments
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 1500 total points
ID: 41751056
One important detail is that whoever administer the data needs to be a trusted person. If the current admin is not trusted for that then in HR area you will need to have someone administering specifically that data (server or any other that it could imply).

There is also something more... let's call it 'reactive', it is the audit systems that is in place. Systems are suppose to track all the accesses and operations made with sensible data.

The big organizations they have their own IT guys inside the HR department, small companies trust the administrator, because that is the only way that the administrator can protect the data in all the layers.

One approach that you can use, is something like 'partial' security, where HR can use protection at other security layers, such as file encryption, keep the information inside a DB that encrypts the information and just RD have access to this interface... but again... it means that HR will be administering these layers, and not the administrator.
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 41751060
Your admins MUST be trusted or they shouldn't be your admins.  PERIOD.

Any admin can gain access to the data at any time.  PERIOD.  They have to to properly administer the server.  You can block "casual" and "accidental" views by removing the domain admins group from the list of users who can access the folders, but admins can always take ownership of the files.

You can encrypt the files using EFS or other means but be careful as losing the encryption keys can permanently lose the data.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 41751070
Its all about permissions, you can give or take away access to any user and/or group.

If their all in the same folder structure and you have admins you don't want to go poking around then you can assign only certain admins that get access (always need at least one). I usually setup a group and then add those i want to have access to the group then apply it to the folder structure.
0
 
LVL 5

Expert Comment

by:Laroy Shtotland
ID: 41751192
Don't mess with your admins, but if you dare, learn how to use encryption first. Microsoft built-in BitLocker or EFS is easy and secure enough.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 41752074
If your the one who decides which admins get access to what areas of your system then your not messing with them your delegating responsibility. Just because they are an admin doesn't mean they get unrestricted access to everything. It's irresponsible to do that. if they don't need access then you don't give it to them. If you setup EFS an you have a slow net you'll see a performance hit, if it's encrypted then it will need to be decrypted, so users who access a lot of  files may notice some slowness.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Quickbooks hosting can do wonders to your enterprise but considering the points elaborated in the article which will help you to better analyze the outcomes. So scan your business, its needs and then move to the new world of limitless benefits.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question