Restrict the system administrator (Custodian) from copying files via windows file explorer

We have a Document management system which hold sensitive data. Currently the users on the system can view the documents within the framework of the software we provided.  We do have an audit trail on the documents access etc.

But this still leave a hole in the security aspect as the application custodian where the s/w is installed still has access to the folders where this documents are residing.

How do we ensure that the system admin can't access this folder and only the access is permitted via the software application.
Who is Participating?
btanExec ConsultantCommented:
There is also practices to centralise the access through a proxy jump host to file servers and critical server. This can even include video recording (kinda of digital cctv style) on the action taken, in a way the performance of the servers is offloaded onto the jump host. This brings most value for oversight of remote admin access.
Jackie ManCommented:
You need to trust the system admin as it is unlikely that you can restrict the system admin on anything.


You take over the credentials of system admin and every job of the system admin has to be supervised and monitored by you.

I will choose the first one.
Dr. KlahnPrincipal Software EngineerCommented:
In both Windows and linux, the system administrator can override all protections on any folder and file.  There's no way to do what you ask without adding more software and some overhead.

What could be done is encrypt the files in question and decrypt them only in the application's internal memory, and when writing them back to disk re-encrypt those files.

This assumes that nobody will tell the system administrator what the password to the application is, and that is certainly not a good assumption.

Your company's insurance probably does not cover this type of employee malfeasance.  If the data is that sensitive, you must -- not should, must -- require that all employees who can override security on that system be bonded for at least one million dollars, or insured against malfeasance for the same amount.  Typically a one million dollar bond costs one-half to one percent a year, so add another $10,000 per million dollars of bonding to the annual cost of that employee.  

This does several things.  First, you're covered against financial damage in case of an offense.  Second, the bonding company will investigate the employee's background as part of the bonding process.  Third, it lets the employee know you are serious about security.  Fourth, bonded employees won't be handing out admin-level passwords.  Finally, if the employee commits an offense they know the bonding company will be coming after them.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

btanExec ConsultantCommented:
The windows EFS will determine who can see the protected files.
EFS encrypts files with a random file encryption key (FEK) and encrypts that key with a RSA key belonging to the user ... this RSA key ist protected by DPAPI ... if the system is setup with a key recovery agent, the FEK is also encrypted for the RSA key of the key recovery agent (this might be the local admin, but can be changed, even to no key recovery agent)

if the local admin changes the password of a user, their DPAPI master key is left untouched, still protected by the old user password ... changing the password won't give you access to the DPAPI master key, and therefore won't give you access to the users private RSA key ...

if the station is member of a domain, the domaincontroller will have a decryption key that will allow decryption of a DPAPI master key ...
Member_2_7967119Author Commented:
We have already attempted the enryption and decryption of the documents but there is a very serious overhead on the performance as everytime a employee request a document via search, the viewing of the document needs to pass first the decryption by the application's key and then display the document.

I did resonate what you where stating about trusting the custodian since he/she needs to manage the backups and other critical tasks of housekeeping.

No one at the firm understand the same.

Next option was to store the data in SQL server tables and read it from them so that we do not worry about having the physical file on the hard disk. But this option has heavy performance  issues aswell.
Dr. KlahnPrincipal Software EngineerCommented:
No one at the firm understand the same.

Write down an official memo, one page only, expressing your concern about the situation.  Estimate the financial damage to the company if the data in question were to be compromised.  Also estimate the legal issues (at $500/hour lawyer time) and the effects on the company's future earnings.  Figure a minimum of 200 hours of lawyer time per aggrieved client.  Use short, simple phrasing.

Put it down on paper, on official company letterhead.

Hand deliver it to the CEO, the CFO, and the company's legal department.  Mail a copy to yourself at home, certified mail, return receipt requested to prove that you brought the issue up, and when.

There will either be positive action, or your tochis will be covered in case of a problem.  Either way you win.  You'll have to live with the eternal hate of your immediate supervisor, though.
btanExec ConsultantCommented:
Understand the encryption impact but it should not sized up properly with hardware amd not keeping on adding oversight measures which it is just not going to be anywhere..

Encryption is in fact minimal to deter admin access. There is also file integrity monitoring and likewise system will have some loading. They are not fool proof but serves as deterrences for abuses.  Really need to balance convenience vs risk appetite. It is hard to have both world, it is about risk measured approach. Let your stakeholder make an informed decision with your concerns.

Go for minimal audit trails and have a regime to track and review for anomalous activities. One option for oversight; if this makes sense for your environment
CimTrak is one of very few FIM softwares with an audit trail that cannot be altered by users. This means your administrative and privileged user actions are continually monitored. It eliminates any risk that your FIM software will hide malicious activity.

CimTrak's audit trail also allows total oversight into user activity. Any time a critical file or configuration is changed in a negative way, an alert is generated. These alerts clearly differentiate between positive, neutral, and negative changes.
What document management is in place documentum, opentext Livelink ECM?
 the overhead of encryption/decryption versus possible access by a rogue admin who copies data, which is more important?

The overhead is one consideration impact, the backup/restore DR is another.
If the data is within a fileshare on that server, setting up a deny rule for group of user to which admins belong ....
But as others have pointed out, admins have tools necessary to gain/regain access in the event of an error. Admins are entrusted with ........
Even with encryption enabled, the admin of the document management system would be the one that has the access to the encryption/decryption keys. So with that a rogue admin, to whom said information was entrusted ............. Need not read any to cause havoc on an enterprise.
Doctors/surgeons  hold the life of their pt in their hands, could you impose a restriction on a position require extraordinary level of trust to prevent an errand person. From doing bad things?

With systems, no matter how complex, a person, mechanism to which a person would have access an error could be made that the wrong person is entrusted with the wrong set of information.

Check with the vendor of the document management system, whether they have an option to differentiate treatment/storage of documents designated as sensitive, or setup a seond document management system that would house these types of documents.
Member_2_7967119Author Commented:
I will take your advises and share them with my team. Hope they understand.
btanExec ConsultantCommented:
Sure thanks for sharing. The oversight should be centralised for holistic readiness.
Jackie ManCommented:
Sufficient information to close this question.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.