Protecting data from the NT admin 2

[raygg]

I am concerned about the ability of an NT admin to look at sensitive documents without authorization.

Assume a NT workstation user on an NT network properly changes his logon password monthly and reveals it to no one.

If the user creates a sensitive MS Word document and saves it to the workstation Personal folder for the user. Can the NT admin read that file without detection by the user?

I presume the NT admin can assume ownership of an folder - but then the user would be locked out of the folder and thereby detect someone else has accessed the folder.

I also presume the NT admin can copy the folders without detection to another machine on the network, assume ownership control and then read any document. Or can he?

 

[tubbaguts]

@ hnd & culshaja
Once again, I am a domain admin. Remove everyone from the folder you want to protect and add only the people you want to have access. It works, I have tested it with other domain admins. No domain admin except me has access to my files. It must be set at the file level, not the share level. Not to be a smarty, but I am a MCSE and I know what I am talking about. I work with other domain admin who were thinking the same way as you are. It works. Forget about using zip files, use NT for what it was designed for "security". Check MS Technet, you will get the same answer.

 

[Alt255]

Hi, tubbaguts. I agree that your solution will provide fair protection.

But I don't think it will prevent the one-percenters from taking a look or going as they please.

Alt255@Vorpalcom.Intranets.com

"What this country needs is more free speech worth listening to."[tt]
Hansell B. Duckett[/tt]​

 

[AnonGod]

Sounds like a paper MSCE, cause ur wrong. Domain Admins have local admin privlidges - including taking ownership of any file on the local box. If you have a book or a valid article that proves me wrong, give me ur best shot.
God I love arguing.
>:O> anongod@hotmail.com

"Drawing on my fine command of language, I said nothing."

 

[tubbaguts]

@Anongod
The question is not taking ownership it is looking at the files. If an Admin takes ownership a trail will be left for the user. If the admin is blocked (which can be done) he is blocked. This is my last post to this dead horse.

 

[PerryTorres]

I don't trust our NT Administrator, I think he's been opening some of our outlook messages and other documents, can you suggest a software that i can download to see if he is doing this to my computer/documents/messages? please help me out, its for the protection of more than 700 employees. tnx!

 

[jaeddy]

tubbaguts is correct, and even more than that: in order to change the permissions or take ownership of files prepped in the manner he describes the admin would have to be logged on *locally* to the machine where the file in question resides, and with auditing in place he will blaze a trail anyone could follow straight to the unemployment line.

The issue really is one of trust, pure and simple. I run a network where management has numerous "hidden" shares for sensitive documents and I set security on them to lock out even domain admins. Can I go in and change the permissions? Absolutely. Will I? No. Why? Because I have been given a position of authority and responsibility and to do so would be to violate the trust implied in the assignment of those powers and responsibilities. One more voice in a chorus of "if you don't trust your admin, why the heck is he/she still your admin?"

 

[gensan]

PerryTorres

there are a lot of software that you can use for this. Also, as discussed lengthily, there are auditting features you can use. But these are all just temporary solutions. The real problem would be on the Administrator.
Hiring people on such sensitive post should be evaluated in detail. They are hired because of trust and confidence. If one of them is missing, no point of hiring or retaining at all.

 

[ChrisHirst]

People. The answer as others have said is get rid of the admin if you cannot trust him\her. I am Group I.T. Manager and administrator of a 150+ user multi-site network and the one thing I ensure is that everyone above me (Directors upwards) knows that I have more rights over the company documents and their private documents than they have. Having said that I do not have the time to read my own mail without going through other peoples mailboxes etc. I do open mailboxes of course on request from directors or if virus activity warrants it, but there will always be a message sent to the user informing them. The bottom line is your administrator is in a very powerful position and as such has to be trusted. If you cannot trust them they have no right to be there. I myself would expect to be fired without question if there was even a suspicion of me reading sensitive company\private documents without authorisation.

Chris.

 

[epohl]

I must agree with ChrisHirst, it is all a matter of trust. If this person cannot be trusted there is no reason for them to have this position. And as far as keeping a Domain Admin out the answer is simple, you can't unless the data is not on the network. Also one other key thing to remember is that technically data and email belong to the company and from time to time management may ask admins to review it. So if it is something you want NOONE else seeing it has no reason being on a corporate network.

 

[Maruis]

All good and well.
I agree with trust your Admin, if not get rid of him/her.

The question is what in the world is so sensitive? Is that info of National importance? If not why make such a fuss?

I have seen so many people being paraniod about data on a network.

Frankly as Admin I do not care what the info is, only that I need to protect it. Hope this Helps

Maruis
"I sleep at home not on my Job!"

 

[Kjonnnn]

Yea what is so secret. You may be worrying over nothing. As an admin i see things, but I dont see them. You may think your information is more interesting than it really is. Is their evidence the admin is peeking at stuff? what stuff?

Most of us dont have time peeking into harddrive and outlook files to read emails.

So whats the real deal here.

 

[Mturner]

well said Kjonnn!!! its part of our jobs to see information we are not ment to but i just ignore it. anyway we have plenty of intresting things to look at of our own letalone other peoples!.

 

[TheLad]

I have only read a few posts in this thread, but I don't quite understand something.

You see, any IT Admin person knows that if they wanted, they could read anything on the system anywhere. But being in a position of such responsibility, any IT Admin person worth their salt has the professionalism not to.

If a user is unhappy with IT Admin people having access to his/her files, that from my point of view is very bullish of the user in question. They obviously have something to hide. I have had this before with users whereby they have rather saved data onto their computers hard drive rather than the server,and my answer has always been the same: how can I guarantee the security and safety of your data on a PC hard drive? Anyone can log onto a workstation and access the contents of the hard drive. Also, how does this data get backed up, and what happens if the PC fails? I have had users gloat at the fact they have password-protected a Word document, until I point them in the direction of a Shareware utility that hacks it in seconds.

It does my head in when users moan about us IT Administrators having access to their personal files. I personally have better things to do with my time than look at users files! -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[dcain]

Yes I have to agree with the rest of the admins here, I had to sign a confidentiality agreement to keep the management happy. As part of my job it is expected I may see confidential information. The expectation though is that it goes no further. That's not a problem for me. Nobody seems to complain that the HR personnel can see everybody's salary and personal details.


David

 

[SimonDavis]

I think there are some great principals being discussed here, but they don't seem to be too realistic.

The 'what can be so secret' camp might consider if they'd like a complete stranger looking through their medical records, bank balances or even memo's to their business partners justifying why they will make their IT manager (who also has the power to trash their system) redundant in three months time. They seem to criticise the person for wanting to keep their documents private. Glad they don't run my system, that's all I can say.

And do the 'sack him' brigade assume the replacement would be any better? I don't see that the original post questioned the integrity of the admin anyway.

Theres nothing wrong with a bit of paranoia - I trust our admin completely, but MY rules say I keep my private stuff on my local machine, not his character. I also am fully prepared to accept that I have to back my own stuff up, and could if needed to easily explain such a principal to my 96 year old granny.

If I have a document that I don't want read by someone (and that's not as unreasonable as some people seem to think), the fact that I could 'catch' the offender wouldn't change the fact that he had already read the document. It wouldn't make me any happier. I'm not an expert on network security, but I would imagine that it is not so difficult for a determined person to access files on a network.

I reckon the answer (as already suggested) is to keep it out of reach. Then nobody needs to get excited about it.

(Practical suggestion, get a zip/clik drive, they seem to be more reliable than a floppy).

 

[TheLad]

SimonDavies - with the greatest respect in the world to you, it is people like you who, with their paranoid attitude, give IT Admins a bad name.

People like you are the exception rather than the rule. There is a distinct lack of respect for people in IT whom without, your systems would fail to be properly maintained.

I have to say, there is more chance of someone finding out your password and going into your account that way than an IT Admin looking at your documents. If you have a desktop SimonDavies, there is more chance that someone could log into your workstation and, by virtue of being on your machine, have access to the documents you have saved locally. If you have a laptop, there is also more chance that you may be unlucky enough to have it stolen.

You see, by storing your documents locally, you are infact unwittingly comprimising their security more than having them on a server. If they are on a server, you have one copy, backed up regularly onto tapes that are stored securely, accessible to yourself only, on a server that is most likely behind lock and key. If you have them stored locally, you have the copy on your C drive, and any backups on other media that you may have taken. It makes me wonder what you have to hide?

Like I said in my previous post, IT Admins do not care that SimonDavies has personal documents stored in his personal drive on the server. We do not care that Fred in Legal is dating Wilma in Supplies! And like DCain said, "Nobody seems to complain that the HR personnel can see everybody's salary and personal details". You honestly have more chance of getting ripped off by a credit card hacker who has got your details off an unsecured website! -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[epohl]

SimonDavis,

I see your point, but private things such as medical records and bank balances really have no business being on a corporate PC, these are things for you to keep on your PC at home that you bought. This is often the case with the data people want to keep secret from the admin. Remember if it is a corporate PC on a corporate LAN the company owns all the data on it. And keeping them on your Local PC on the network really does very little to keep them secret. The Admin has access to all things in the domain, as Microsoft puts it this behavior is by design.

 

[Kjonnnn]

LOL....

Well it seems this question has turned from a "how to" to an "ethics" question.

Trust is the key in this situation. I have access to every computer from the President down to the lowliest clerk. I see but I dont see. I even when i was in another profession as a secretary, I had daily access to secret and confidential (and there is a difference between the two) on a daily basis. When i left that job, some people who applied for that job had the technical skills, but my boss felt they may not be trustworthy. Same thing in IT, for the most part we're a trustworthy bunch.

Officially, personal items shouldnt be on a corporate PC. I have no problem telling the people here i have access EVERYTHING, I let it be known. I never request to use a person's PC, if i need to maintain it, I sit down and do what i need to do. the Pc IS the company's PC. I had a person completely FDISK and reinstalled their own software once and changed all of "their" local passwords. I disabled their network account until they gave me the passwords. Its the company's equipment.

 

[SimonDavis]

Epohl, understand and agree, but I didn't mean my own personal records, I meant when they are kept as part of corporate data - what I was really commenting on was that a few of the posts above seem to suggest that notwithstanding that admins have the capability to read whatever he likes, he has the right to do so. Other seems to say even if he doesn't have the right, who cares if he does it anyway. I think both of those views are wrong.

TheLad - thanks for the advice. I'll put it all back on the network right away.

With equal respect (I'm not an IT admin by the way, I'm a company owner in a non-IT role, so I'm talking from a different perspective) your attitude that anyone without an MCSE can't be capable of switching on a torch is just as likely to give IT admins a bad name. Let's be honest, backing up is not the most complicated job you have to do, is it? It is possible for mere mortals to back up and protect their data. Sorry.

My suggestion for you - go start up your own company, and give everybody in the office total access to everything they want to read, stand back and enjoy the show.

Fact is that a company has the legal and moral right to decide who gets to see what. A responsible IT manager doesn't poke about, but I think if data is so sensitive that you have to worry about the possibility of someone seeing it (whether you trust them or not), you need to make special or unusual arrangements to protect it - i.e. keep it off of the network or better if you have the resources, scramble it. Nobody has to worry about it then.

FWIW, I completely agree with Kjonnnn's attitude - make absolutley sure people are aware that their network data is not exclusive to them.

 

[TheLad]

At my company, it is policy (and quite rightly so) for IT Admins to gain the permission on the user before the IT Admin can look into their personal area. With this in mind, if I have to go into a users home area in order to fix a problem with their profile (for example), the user has to send me written permission via email before I will. This is the rules the company employees and I fully agree with them.

There are exceptions, however, very limited exceptions. If a Senior Manager approaches my IT Manager and provides a valid excuse why we should take a look at a users home area, we will do it. The excuse has to be a serious breach of company policy however (eg. inappropriate files etc...)

We also monitor Internet access and external mail attachments via an SQL database and periodically search it to ensure users are not using the corporate Internet link for inappropriate pleasure.

Also, when a user brings up the Internet browser, they are greeted with a Terms & Conditions page which states suitable uses for the Coporate Internet. This also advises users of the action taken should these rules be broken.

Providing a company has a good IT Useage policy, there can be no confusion about what is allowed or not. -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------