Solved

Is it possible to prevent a system administrators from accessing certain folders on a network share ?

Posted on 2016-09-04
7
31 Views
Last Modified: 2016-10-22
Our CFO / owner doesn't want our systems administrators to have the same access to all the data that the CFO has.  How would you prevent an administrator to access folders on a server that they manage ?
0
Comment
Question by:SAGE Dining
7 Comments
 
LVL 16

Assisted Solution

by:Carol Chisholm
Carol Chisholm earned 100 total points
ID: 41784237
Rights Management. Then the CFO can be informed each time you even try to access them.
Azure RMS or Windows RMS.
0
 
LVL 16

Assisted Solution

by:Malmensa
Malmensa earned 200 total points
ID: 41784245
That can kinda sorta be done in a variety of ways, simplest is to just edit file permissions.

In every site I have looked after, doing this causes problems; usually the same person who wanted the IT department to not have access requests an antivirus check, changes to permissions or restoring backups within a few months. You will need to impress upon the owner that this data becomes THIER problem, not ITs.
0
 
LVL 11

Accepted Solution

by:
andreas earned 100 total points
ID: 41784256
Use encryption, this way admin can have physical access to the files, e.g. for backup and restore, but admins cannot read the content of the files as they don't have the keys.

But the decryption Keys are only in the hands of the users who need access.

File permissions, and file access auditing can be removed by the admins. The encryption cannot be cracked if the keys are stored safly (e.g. use smartcards).

Drawback, if the decryption Keys get lost or damaged, there is no way to restore the data.
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 100 total points
ID: 41784299
+1 for encryption. That's the only sensible way to protect data in an electronic world.

A system administrator will always be able to take ownership of the files and do whatever he/she wants.
Yes, the CFO will be notified... if the system administrator does not disable that notification.

I think having full and unrestricted access is one of the "must have"s of the system administrator's position. If you can't trust him, it's better to just look for a more trustworthy person.
Or switch to paper records.

HTH,
Dan
0
 
LVL 16

Assisted Solution

by:Malmensa
Malmensa earned 200 total points
ID: 41784307
Yep, and I can pretty much guarantee the if end users start encrypting files, IT will be called on to decrypt them at some point.  You need to send and (and keep) and email explaining clearly and unambiguously that if passwords are lost, so is the data.

IT departments having no access to data and the ability to decrypt  files are conflicting requirements. Expect the shit to hit the fan later down the track.
0
 

Author Comment

by:SAGE Dining
ID: 41784747
Encryption sounds like the correct direction.   Any recommendations on product ?
Requirements: 1) Able to easily secure and access files on local laptop  2) Able to secure folder / add files on Network Share and allow someone else access to the network shared folder if they have the 'secret' password.
Thank you for the assistance.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now