Solved

Is it possible to prevent a system administrators from accessing certain folders on a network share ?

Posted on 2016-09-04
7
38 Views
Last Modified: 2016-10-22
Our CFO / owner doesn't want our systems administrators to have the same access to all the data that the CFO has.  How would you prevent an administrator to access folders on a server that they manage ?
0
Comment
Question by:SAGE Dining
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Assisted Solution

by:Carol Chisholm
Carol Chisholm earned 100 total points
ID: 41784237
Rights Management. Then the CFO can be informed each time you even try to access them.
Azure RMS or Windows RMS.
0
 
LVL 19

Assisted Solution

by:Mal Osborne
Mal Osborne earned 200 total points
ID: 41784245
That can kinda sorta be done in a variety of ways, simplest is to just edit file permissions.

In every site I have looked after, doing this causes problems; usually the same person who wanted the IT department to not have access requests an antivirus check, changes to permissions or restoring backups within a few months. You will need to impress upon the owner that this data becomes THIER problem, not ITs.
0
 
LVL 12

Accepted Solution

by:
andreas earned 100 total points
ID: 41784256
Use encryption, this way admin can have physical access to the files, e.g. for backup and restore, but admins cannot read the content of the files as they don't have the keys.

But the decryption Keys are only in the hands of the users who need access.

File permissions, and file access auditing can be removed by the admins. The encryption cannot be cracked if the keys are stored safly (e.g. use smartcards).

Drawback, if the decryption Keys get lost or damaged, there is no way to restore the data.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 35

Assisted Solution

by:Dan Craciun
Dan Craciun earned 100 total points
ID: 41784299
+1 for encryption. That's the only sensible way to protect data in an electronic world.

A system administrator will always be able to take ownership of the files and do whatever he/she wants.
Yes, the CFO will be notified... if the system administrator does not disable that notification.

I think having full and unrestricted access is one of the "must have"s of the system administrator's position. If you can't trust him, it's better to just look for a more trustworthy person.
Or switch to paper records.

HTH,
Dan
0
 
LVL 19

Assisted Solution

by:Mal Osborne
Mal Osborne earned 200 total points
ID: 41784307
Yep, and I can pretty much guarantee the if end users start encrypting files, IT will be called on to decrypt them at some point.  You need to send and (and keep) and email explaining clearly and unambiguously that if passwords are lost, so is the data.

IT departments having no access to data and the ability to decrypt  files are conflicting requirements. Expect the shit to hit the fan later down the track.
0
 

Author Comment

by:SAGE Dining
ID: 41784747
Encryption sounds like the correct direction.   Any recommendations on product ?
Requirements: 1) Able to easily secure and access files on local laptop  2) Able to secure folder / add files on Network Share and allow someone else access to the network shared folder if they have the 'secret' password.
Thank you for the assistance.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question