Solved

Is it possible to prevent a system administrators from accessing certain folders on a network share ?

Posted on 2016-09-04
7
35 Views
Last Modified: 2016-10-22
Our CFO / owner doesn't want our systems administrators to have the same access to all the data that the CFO has.  How would you prevent an administrator to access folders on a server that they manage ?
0
Comment
Question by:SAGE Dining
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Assisted Solution

by:Carol Chisholm
Carol Chisholm earned 100 total points
ID: 41784237
Rights Management. Then the CFO can be informed each time you even try to access them.
Azure RMS or Windows RMS.
0
 
LVL 18

Assisted Solution

by:Mal Osborne
Mal Osborne earned 200 total points
ID: 41784245
That can kinda sorta be done in a variety of ways, simplest is to just edit file permissions.

In every site I have looked after, doing this causes problems; usually the same person who wanted the IT department to not have access requests an antivirus check, changes to permissions or restoring backups within a few months. You will need to impress upon the owner that this data becomes THIER problem, not ITs.
0
 
LVL 12

Accepted Solution

by:
andreas earned 100 total points
ID: 41784256
Use encryption, this way admin can have physical access to the files, e.g. for backup and restore, but admins cannot read the content of the files as they don't have the keys.

But the decryption Keys are only in the hands of the users who need access.

File permissions, and file access auditing can be removed by the admins. The encryption cannot be cracked if the keys are stored safly (e.g. use smartcards).

Drawback, if the decryption Keys get lost or damaged, there is no way to restore the data.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 35

Assisted Solution

by:Dan Craciun
Dan Craciun earned 100 total points
ID: 41784299
+1 for encryption. That's the only sensible way to protect data in an electronic world.

A system administrator will always be able to take ownership of the files and do whatever he/she wants.
Yes, the CFO will be notified... if the system administrator does not disable that notification.

I think having full and unrestricted access is one of the "must have"s of the system administrator's position. If you can't trust him, it's better to just look for a more trustworthy person.
Or switch to paper records.

HTH,
Dan
0
 
LVL 18

Assisted Solution

by:Mal Osborne
Mal Osborne earned 200 total points
ID: 41784307
Yep, and I can pretty much guarantee the if end users start encrypting files, IT will be called on to decrypt them at some point.  You need to send and (and keep) and email explaining clearly and unambiguously that if passwords are lost, so is the data.

IT departments having no access to data and the ability to decrypt  files are conflicting requirements. Expect the shit to hit the fan later down the track.
0
 

Author Comment

by:SAGE Dining
ID: 41784747
Encryption sounds like the correct direction.   Any recommendations on product ?
Requirements: 1) Able to easily secure and access files on local laptop  2) Able to secure folder / add files on Network Share and allow someone else access to the network shared folder if they have the 'secret' password.
Thank you for the assistance.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question