Solved

Restrict the system administrator (Custodian) from copying files via windows file explorer

Posted on 2016-10-29
11
33 Views
Last Modified: 2016-11-28
We have a Document management system which hold sensitive data. Currently the users on the system can view the documents within the framework of the software we provided.  We do have an audit trail on the documents access etc.

But this still leave a hole in the security aspect as the application custodian where the s/w is installed still has access to the folders where this documents are residing.

How do we ensure that the system admin can't access this folder and only the access is permitted via the software application.
0
Comment
Question by:Member_2_7967119
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 41

Assisted Solution

by:Jackie Man
Jackie Man earned 83 total points (awarded by participants)
Comment Utility
You need to trust the system admin as it is unlikely that you can restrict the system admin on anything.

OR

You take over the credentials of system admin and every job of the system admin has to be supervised and monitored by you.

I will choose the first one.
0
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 83 total points (awarded by participants)
Comment Utility
In both Windows and linux, the system administrator can override all protections on any folder and file.  There's no way to do what you ask without adding more software and some overhead.

What could be done is encrypt the files in question and decrypt them only in the application's internal memory, and when writing them back to disk re-encrypt those files.

This assumes that nobody will tell the system administrator what the password to the application is, and that is certainly not a good assumption.

Your company's insurance probably does not cover this type of employee malfeasance.  If the data is that sensitive, you must -- not should, must -- require that all employees who can override security on that system be bonded for at least one million dollars, or insured against malfeasance for the same amount.  Typically a one million dollar bond costs one-half to one percent a year, so add another $10,000 per million dollars of bonding to the annual cost of that employee.  

This does several things.  First, you're covered against financial damage in case of an offense.  Second, the bonding company will investigate the employee's background as part of the bonding process.  Third, it lets the employee know you are serious about security.  Fourth, bonded employees won't be handing out admin-level passwords.  Finally, if the employee commits an offense they know the bonding company will be coming after them.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 251 total points (awarded by participants)
Comment Utility
The windows EFS will determine who can see the protected files.
EFS encrypts files with a random file encryption key (FEK) and encrypts that key with a RSA key belonging to the user ... this RSA key ist protected by DPAPI ... if the system is setup with a key recovery agent, the FEK is also encrypted for the RSA key of the key recovery agent (this might be the local admin, but can be changed, even to no key recovery agent)

if the local admin changes the password of a user, their DPAPI master key is left untouched, still protected by the old user password ... changing the password won't give you access to the DPAPI master key, and therefore won't give you access to the users private RSA key ...

if the station is member of a domain, the domaincontroller will have a decryption key that will allow decryption of a DPAPI master key ...
0
 

Author Comment

by:Member_2_7967119
Comment Utility
We have already attempted the enryption and decryption of the documents but there is a very serious overhead on the performance as everytime a employee request a document via search, the viewing of the document needs to pass first the decryption by the application's key and then display the document.

I did resonate what you where stating about trusting the custodian since he/she needs to manage the backups and other critical tasks of housekeeping.

No one at the firm understand the same.

Next option was to store the data in SQL server tables and read it from them so that we do not worry about having the physical file on the hard disk. But this option has heavy performance  issues aswell.
0
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 83 total points (awarded by participants)
Comment Utility
No one at the firm understand the same.

Write down an official memo, one page only, expressing your concern about the situation.  Estimate the financial damage to the company if the data in question were to be compromised.  Also estimate the legal issues (at $500/hour lawyer time) and the effects on the company's future earnings.  Figure a minimum of 200 hours of lawyer time per aggrieved client.  Use short, simple phrasing.

Put it down on paper, on official company letterhead.

Hand deliver it to the CEO, the CFO, and the company's legal department.  Mail a copy to yourself at home, certified mail, return receipt requested to prove that you brought the issue up, and when.

There will either be positive action, or your tochis will be covered in case of a problem.  Either way you win.  You'll have to live with the eternal hate of your immediate supervisor, though.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 61

Assisted Solution

by:btan
btan earned 251 total points (awarded by participants)
Comment Utility
Understand the encryption impact but it should not sized up properly with hardware amd not keeping on adding oversight measures which it is just not going to be anywhere..

Encryption is in fact minimal to deter admin access. There is also file integrity monitoring and likewise system will have some loading. They are not fool proof but serves as deterrences for abuses.  Really need to balance convenience vs risk appetite. It is hard to have both world, it is about risk measured approach. Let your stakeholder make an informed decision with your concerns.

Go for minimal audit trails and have a regime to track and review for anomalous activities. One option for oversight; if this makes sense for your environment
CimTrak is one of very few FIM softwares with an audit trail that cannot be altered by users. This means your administrative and privileged user actions are continually monitored. It eliminates any risk that your FIM software will hide malicious activity.


CimTrak's audit trail also allows total oversight into user activity. Any time a critical file or configuration is changed in a negative way, an alert is generated. These alerts clearly differentiate between positive, neutral, and negative changes.
 https://www.cimcor.com/cimtrak/?_ga=1.87067167.626203798.1477821099
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 83 total points (awarded by participants)
Comment Utility
What document management is in place documentum, opentext Livelink ECM?
 the overhead of encryption/decryption versus possible access by a rogue admin who copies data, which is more important?

The overhead is one consideration impact, the backup/restore DR is another.
If the data is within a fileshare on that server, setting up a deny rule for group of user to which admins belong ....
But as others have pointed out, admins have tools necessary to gain/regain access in the event of an error. Admins are entrusted with ........
Even with encryption enabled, the admin of the document management system would be the one that has the access to the encryption/decryption keys. So with that a rogue admin, to whom said information was entrusted ............. Need not read any to cause havoc on an enterprise.
Doctors/surgeons  hold the life of their pt in their hands, could you impose a restriction on a position require extraordinary level of trust to prevent an errand person. From doing bad things?

With systems, no matter how complex, a person, mechanism to which a person would have access an error could be made that the wrong person is entrusted with the wrong set of information.

Check with the vendor of the document management system, whether they have an option to differentiate treatment/storage of documents designated as sensitive, or setup a seond document management system that would house these types of documents.
1
 
LVL 61

Accepted Solution

by:
btan earned 251 total points (awarded by participants)
Comment Utility
There is also practices to centralise the access through a proxy jump host to file servers and critical server. This can even include video recording (kinda of digital cctv style) on the action taken, in a way the performance of the servers is offloaded onto the jump host. This brings most value for oversight of remote admin access.
0
 

Author Comment

by:Member_2_7967119
Comment Utility
I will take your advises and share them with my team. Hope they understand.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Sure thanks for sharing. The oversight should be centralised for holistic readiness.
0
 
LVL 41

Expert Comment

by:Jackie Man
Comment Utility
Sufficient information to close this question.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
We often encounter PDF files that are pure images, that is, they do not have text characters, but instead contain only raster graphics. The most common causes of this are document scanning software and faxing software/services that create image-only…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now