Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Protecting data from the NT admin 2

Status
Not open for further replies.

raygg

Technical User
Jun 14, 2000
397
US
I am concerned about the ability of an NT admin to look at sensitive documents without authorization.

Assume a NT workstation user on an NT network properly changes his logon password monthly and reveals it to no one.

If the user creates a sensitive MS Word document and saves it to the workstation Personal folder for the user. Can the NT admin read that file without detection by the user?

I presume the NT admin can assume ownership of an folder - but then the user would be locked out of the folder and thereby detect someone else has accessed the folder.

I also presume the NT admin can copy the folders without detection to another machine on the network, assume ownership control and then read any document. Or can he?
 
Anybody with Domain level Administrator rights can access any file on the network.
If you are concerned about word documents I think theer is password protection on them. If not then personal encryption or password protected zipping might be solutions.

James :) James Culshaw
jculshaw@active-data-solutions.co.uk
 
I understand that the domain level admin can access any file but is it access without the owner knowing it? What can the document owner do to require the admin to break a password or otherwise cause the NT admin to reveal something has been done to access the document without authorization? The examples are common: medical records, HR records, patents etc etc.
 
I have to jump in here, because I view this as a sensitive issue. There is almost no way to completely prevent a determined net admin from accessing data on the network. The net admin can change any security rights that could be set, and the good ones could even go so far as to remove passwords from word/excel documents. Companies commonly require confidentiality agreements with technicians and admins specifically because it is so hard to prevent access from the ones who *control* access. Bottom Line, I agree with James. If you can't trust your admins, get rid of them. Hire someone you can trust. David Moore
dm7941@sbc.com
 
I completely agree with David, if the file is on the corporate network, there is just about no way you can keep a Domain admin from getting to it.

But I would like to offer 2 suggestions.
1. Even though the admin can get at the files, set up auditing on the folder. This will tell your user (not tell you, you have to look at the log) who is accessing the files.
2. I have been preaching this ever since I started playing with it - GET WINDOWS 2000 - w2k has EFS encrypting file system, cool stuff.
3. Keep the sensitive documents off the network - floppy, zip, etc...

Good luck to ya!
>:):O> anongod@hotmail.com

"Drawing on my fine command of language, I said nothing."
 
How is auditing set up by the user? Does the user have to have special privileges or can anyone set it up? If someone other than the user looked at the folder - will the auditing function automatically alert the user to this?
 
As this is something I have never actively used, I do not have exact details, or experience to pull from. Therefore, i highly recommend getting an NT book that will discuss this further.

First go into User Manager for the NT Workstation you want to audit. Goto Policies menu, and select Audit... These are overall settings for the computer, and have to be turned on before individual folders can be audited. Choose the things you would like to monitor, and exit.

Goto the properties of the folder you want to monitor, select the Security tab, and click the Auditing button. Add the users you want to monitor (the admin, and all accounts he has access to / or just everyone) and select what you want to monitor on this folder.

When all is said and done, test it by opening up the folder and deleting a test file, and check the local security log. All of your actions will be there.

When setting permissions, make sure to cover anything that the admin can cover. i.e.-Clearing Event Log's, changing Auditing permissions, etc... as i said, get the book, it will have a better idea of things to look for, and a good explanation of what the security log is telling you.

Good Luck, and please post back with the results of your venture, I am curious...
>:):O> anongod@hotmail.com

"Drawing on my fine command of language, I said nothing."
 
I have to agree with the comment above regarding using good encryption. Documents that are so "sensitive" you are worried about the network administrator gaining access, there is NO excuse not to use good encryption. Depending on your actual needs there are too many good products out there that will simply and effectively keep out anyone who should have access to your files. You can keep them on floppies/zip disks but they can be lost, damaged, etc. Don't waste time trying to work around the problem. Encrypt those files and move on, problem solved...

 
If you have sensitive doc i would suggest to put them on a disk and carry it with you.
If you want to know for sure what going on with your pc you can get free software that they will not know is running. go to and look for something called 007starr.
It will record everything.....it will time stamp, date and record every key stroke or folder that is accessed, including login names and passwords.


Good luck
 
Nt admins always have rights over any user on the network that is part of its Domain. NT work stations and server automaticly shares any hard drives as hidden drives. So say you have a C: drive and and a D: Drive. They will become C$ and D$.
The way I who access your files of the network I would use map drive \\computername\C$ or \\computername\D$. AS an admin I could save, delete, and copy what ever I want.
The way around this in this case is to unshare the D: drive and the C: drive. By defualt everyone has access to the hidden shares. If your using Nt you could use netwatch to see if anybody is accessing your shares. If the machine is a windows9x machine disabe file and print sharing.
 
If this is a problem then you have 2 possibilities:
1. Change the operating System to secure Unix. This OS requires two persons to access a file
a) The System-manager who keeps the machine running and
b) The Security-manager, who grants the access permissions even for the Systemadministrator. To access a file both people have to work together.

2. Use a STRONG encryption. I would recommend PGP because with this program you can define a distribution list of all users who are allowed to access the file.

I personnaly do not trust into Microsoft's safety features. I don't know why it's a feeling only, which is supported by some events like the hack some weeks ago.

There is no other way to protect your data, because the paermission as a Administrator is like a Masterkey to everything. An Administrator could even manipulate the auditing Files and manipulate the logfiles.

I agree with culshaja: If you cannot trust into your Administrator you should fire him.

hnd
hasso55@yahoo.com

 
@guest99

Basically you are right. But to install such tool you have to be a´n Administrator - not a regular user - and even in that case any other person who has administrative permission could override your setup.

hnd
hasso55@yahoo.com

 
WOW. A lot of talk about an easy fix. I am an administrator and I keep my files hidden very easily. Take the files you want to hide and place them in a folder on your local machine on a drive with a NTFS file partition. Right click the folder and select properties. Select the security tab and click the permision button. You will see a box that shows every one who has permission on your folder. Remove everyone but your self and make sure that you have full control. This will block access from anyone on the network and anyone who sits at your machine from seeing the folder and files.
 
@tubbaguts

This will block access....

Except the adminstrators. They can change the permissions.

hnd
hasso55@yahoo.com

 
tubbaguts,
i totally agree with hnd and culshaja... you can block everyone else's access to your folders and files but anyone with admin rights can override this setting and change permission as they please...

blocking access is effective only to ordinary domain users but not to administrators...

one suggestion to block anyone's access in reading your file is to zip it up with password protection... that way, only you can decrypt it...

also, if you're stuck on using nt and you can't trust your admin as everyone else has recommended, then replace him with someone you can :)
 
Check again. If you remove "everyone" from the default full control and then allow only permissions for the specific user, you should have what you want. I have a machine I use for remote support that I set up a particular folder this way. Domain admins are part of the administrators group on the machine. But, from my laptop, logged in as a domain administrator, I cannot access the folder or its' contents.
 
@newguest
I want to warn you very urgent: Do not use the zip-Password to protect your data. It is a very weak method (Refer to Bruce Schneier:Applied Cryptography)
If you want to protect important Data by Encrytion use a strong Method or nothing because a weak method like in Zip gives you a wrong feeling of Security.

hnd
hasso55@yahoo.com

 
Still, ZIP encryption isn't a bad way to keep casual users out of your data. I'm talking about people willing to spend less than 24 hours with a password cracker. Even the best ZIP crackers consume enormous system resources and require a great deal of time to extract encrypted data... especially if the user takes the time to use a long, random password like AeXedPN4VafmaV8aUIYz01VvwP30yok7fobcknqy31s05O9vuqHvp5X1qLdugqLq.

Keeping an administrator out of a folder isn't especially hard. All you have to do is bury the folder a zillion layers deep and use the SUBST command to create a virtual drive (they aren't very accessible over a network).

But the real question isn't how... it's why. Admins take a dim view of users who feel a need to get sneaky. Password encrypted folders and hidden folders tend to raise flags, actually provoking an admin's naturally inquisitive nature.

As culshaja pointed out, this is a question of trust. In my view, network administrators should have faultless integrity... or they should work for a competitor.

VCA.gif

Alt255@Vorpalcom.Intranets.com
 
OK, I have a very low tech solution to this high tech problem, How about saving it to floppy and taking the floppy home with you, or just emailing it to to a online email account then deleting it from your PC, Mailcity.com gives you 15M, How about offline storage, Driveway.com offers 25M free storage.


Drain Surgeon (MCSE)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top