Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Restrict the system administrator (Custodian) from copying files via windows file explorer

Posted on 2016-10-29
11
Medium Priority
?
59 Views
Last Modified: 2016-11-28
We have a Document management system which hold sensitive data. Currently the users on the system can view the documents within the framework of the software we provided.  We do have an audit trail on the documents access etc.

But this still leave a hole in the security aspect as the application custodian where the s/w is installed still has access to the folders where this documents are residing.

How do we ensure that the system admin can't access this folder and only the access is permitted via the software application.
0
Comment
Question by:Member_2_7967119
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +2
11 Comments
 
LVL 49

Assisted Solution

by:Jackie Man
Jackie Man earned 332 total points (awarded by participants)
ID: 41865626
You need to trust the system admin as it is unlikely that you can restrict the system admin on anything.

OR

You take over the credentials of system admin and every job of the system admin has to be supervised and monitored by you.

I will choose the first one.
0
 
LVL 29

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 332 total points (awarded by participants)
ID: 41865628
In both Windows and linux, the system administrator can override all protections on any folder and file.  There's no way to do what you ask without adding more software and some overhead.

What could be done is encrypt the files in question and decrypt them only in the application's internal memory, and when writing them back to disk re-encrypt those files.

This assumes that nobody will tell the system administrator what the password to the application is, and that is certainly not a good assumption.

Your company's insurance probably does not cover this type of employee malfeasance.  If the data is that sensitive, you must -- not should, must -- require that all employees who can override security on that system be bonded for at least one million dollars, or insured against malfeasance for the same amount.  Typically a one million dollar bond costs one-half to one percent a year, so add another $10,000 per million dollars of bonding to the annual cost of that employee.  

This does several things.  First, you're covered against financial damage in case of an offense.  Second, the bonding company will investigate the employee's background as part of the bonding process.  Third, it lets the employee know you are serious about security.  Fourth, bonded employees won't be handing out admin-level passwords.  Finally, if the employee commits an offense they know the bonding company will be coming after them.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1004 total points (awarded by participants)
ID: 41865634
The windows EFS will determine who can see the protected files.
EFS encrypts files with a random file encryption key (FEK) and encrypts that key with a RSA key belonging to the user ... this RSA key ist protected by DPAPI ... if the system is setup with a key recovery agent, the FEK is also encrypted for the RSA key of the key recovery agent (this might be the local admin, but can be changed, even to no key recovery agent)

if the local admin changes the password of a user, their DPAPI master key is left untouched, still protected by the old user password ... changing the password won't give you access to the DPAPI master key, and therefore won't give you access to the users private RSA key ...

if the station is member of a domain, the domaincontroller will have a decryption key that will allow decryption of a DPAPI master key ...
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Member_2_7967119
ID: 41865650
We have already attempted the enryption and decryption of the documents but there is a very serious overhead on the performance as everytime a employee request a document via search, the viewing of the document needs to pass first the decryption by the application's key and then display the document.

I did resonate what you where stating about trusting the custodian since he/she needs to manage the backups and other critical tasks of housekeeping.

No one at the firm understand the same.

Next option was to store the data in SQL server tables and read it from them so that we do not worry about having the physical file on the hard disk. But this option has heavy performance  issues aswell.
0
 
LVL 29

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 332 total points (awarded by participants)
ID: 41865653
No one at the firm understand the same.

Write down an official memo, one page only, expressing your concern about the situation.  Estimate the financial damage to the company if the data in question were to be compromised.  Also estimate the legal issues (at $500/hour lawyer time) and the effects on the company's future earnings.  Figure a minimum of 200 hours of lawyer time per aggrieved client.  Use short, simple phrasing.

Put it down on paper, on official company letterhead.

Hand deliver it to the CEO, the CFO, and the company's legal department.  Mail a copy to yourself at home, certified mail, return receipt requested to prove that you brought the issue up, and when.

There will either be positive action, or your tochis will be covered in case of a problem.  Either way you win.  You'll have to live with the eternal hate of your immediate supervisor, though.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1004 total points (awarded by participants)
ID: 41865756
Understand the encryption impact but it should not sized up properly with hardware amd not keeping on adding oversight measures which it is just not going to be anywhere..

Encryption is in fact minimal to deter admin access. There is also file integrity monitoring and likewise system will have some loading. They are not fool proof but serves as deterrences for abuses.  Really need to balance convenience vs risk appetite. It is hard to have both world, it is about risk measured approach. Let your stakeholder make an informed decision with your concerns.

Go for minimal audit trails and have a regime to track and review for anomalous activities. One option for oversight; if this makes sense for your environment
CimTrak is one of very few FIM softwares with an audit trail that cannot be altered by users. This means your administrative and privileged user actions are continually monitored. It eliminates any risk that your FIM software will hide malicious activity.


CimTrak's audit trail also allows total oversight into user activity. Any time a critical file or configuration is changed in a negative way, an alert is generated. These alerts clearly differentiate between positive, neutral, and negative changes.
 https://www.cimcor.com/cimtrak/?_ga=1.87067167.626203798.1477821099
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 332 total points (awarded by participants)
ID: 41865778
What document management is in place documentum, opentext Livelink ECM?
 the overhead of encryption/decryption versus possible access by a rogue admin who copies data, which is more important?

The overhead is one consideration impact, the backup/restore DR is another.
If the data is within a fileshare on that server, setting up a deny rule for group of user to which admins belong ....
But as others have pointed out, admins have tools necessary to gain/regain access in the event of an error. Admins are entrusted with ........
Even with encryption enabled, the admin of the document management system would be the one that has the access to the encryption/decryption keys. So with that a rogue admin, to whom said information was entrusted ............. Need not read any to cause havoc on an enterprise.
Doctors/surgeons  hold the life of their pt in their hands, could you impose a restriction on a position require extraordinary level of trust to prevent an errand person. From doing bad things?

With systems, no matter how complex, a person, mechanism to which a person would have access an error could be made that the wrong person is entrusted with the wrong set of information.

Check with the vendor of the document management system, whether they have an option to differentiate treatment/storage of documents designated as sensitive, or setup a seond document management system that would house these types of documents.
1
 
LVL 65

Accepted Solution

by:
btan earned 1004 total points (awarded by participants)
ID: 41865790
There is also practices to centralise the access through a proxy jump host to file servers and critical server. This can even include video recording (kinda of digital cctv style) on the action taken, in a way the performance of the servers is offloaded onto the jump host. This brings most value for oversight of remote admin access.
0
 

Author Comment

by:Member_2_7967119
ID: 41881678
I will take your advises and share them with my team. Hope they understand.
0
 
LVL 65

Expert Comment

by:btan
ID: 41881774
Sure thanks for sharing. The oversight should be centralised for holistic readiness.
0
 
LVL 49

Expert Comment

by:Jackie Man
ID: 41903915
Sufficient information to close this question.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question