Is it possible to prevent a system administrators from accessing certain folders on a network share ?

Our CFO / owner doesn't want our systems administrators to have the same access to all the data that the CFO has.  How would you prevent an administrator to access folders on a server that they manage ?
SAGE DiningAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
andreasConnect With a Mentor System AdminCommented:
Use encryption, this way admin can have physical access to the files, e.g. for backup and restore, but admins cannot read the content of the files as they don't have the keys.

But the decryption Keys are only in the hands of the users who need access.

File permissions, and file access auditing can be removed by the admins. The encryption cannot be cracked if the keys are stored safly (e.g. use smartcards).

Drawback, if the decryption Keys get lost or damaged, there is no way to restore the data.
0
 
Carol ChisholmConnect With a Mentor Commented:
Rights Management. Then the CFO can be informed each time you even try to access them.
Azure RMS or Windows RMS.
0
 
Mal OsborneConnect With a Mentor Alpha GeekCommented:
That can kinda sorta be done in a variety of ways, simplest is to just edit file permissions.

In every site I have looked after, doing this causes problems; usually the same person who wanted the IT department to not have access requests an antivirus check, changes to permissions or restoring backups within a few months. You will need to impress upon the owner that this data becomes THIER problem, not ITs.
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
Dan CraciunConnect With a Mentor IT ConsultantCommented:
+1 for encryption. That's the only sensible way to protect data in an electronic world.

A system administrator will always be able to take ownership of the files and do whatever he/she wants.
Yes, the CFO will be notified... if the system administrator does not disable that notification.

I think having full and unrestricted access is one of the "must have"s of the system administrator's position. If you can't trust him, it's better to just look for a more trustworthy person.
Or switch to paper records.

HTH,
Dan
0
 
Mal OsborneConnect With a Mentor Alpha GeekCommented:
Yep, and I can pretty much guarantee the if end users start encrypting files, IT will be called on to decrypt them at some point.  You need to send and (and keep) and email explaining clearly and unambiguously that if passwords are lost, so is the data.

IT departments having no access to data and the ability to decrypt  files are conflicting requirements. Expect the shit to hit the fan later down the track.
0
 
SAGE DiningAuthor Commented:
Encryption sounds like the correct direction.   Any recommendations on product ?
Requirements: 1) Able to easily secure and access files on local laptop  2) Able to secure folder / add files on Network Share and allow someone else access to the network shared folder if they have the 'secret' password.
Thank you for the assistance.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.