Protecting data from the NT admin 2

[raygg]

I am concerned about the ability of an NT admin to look at sensitive documents without authorization.

Assume a NT workstation user on an NT network properly changes his logon password monthly and reveals it to no one.

If the user creates a sensitive MS Word document and saves it to the workstation Personal folder for the user. Can the NT admin read that file without detection by the user?

I presume the NT admin can assume ownership of an folder - but then the user would be locked out of the folder and thereby detect someone else has accessed the folder.

I also presume the NT admin can copy the folders without detection to another machine on the network, assume ownership control and then read any document. Or can he?

 

[SimonDavis]

I'm not sure what your point is. You're describing more or less the policy that most companies have.

But we're not talking about people hiding stuff they shouldn't have. We're talking about 'hiding ' stuff they should have.

And the argument can be applied to ALL employees, not just admins. It has to an extent become a debate about whether a company should be able to keep certain data private. The point is that it's easy to keep it private from everybody else, just don't gove them permission. But Admins can if they want to overcome that. They are unique in that respect, so need special consideration.

I'm not picking on Admins. I'm sure there are carpenters who would read confidential docs of they had the passwords, and electronics technicians who wouldn't dream about it. The common factor is that they are all people, and some people will do things you don't want them to, even of you tell them not to.

Remove the opportunity, and they won't do it (whether or not they are inclined to). They can't. Sorted.

Beer time.

 

[Maruis]

Hi Guys

I agree with most of the posts......

As an Admin you have the responsibility not to snoop in files or folders that does not concern you.

There is a rule "need to know basis" To be short, if it does not concern you do not read it even if you can!!!

The rule I live by is: Everybody knows I can access anything I want, but I won't in respect for other people.
Do to other what you would like others to do with you!!

I never had a problem with anybody regarding trust.
Respect is earned it doesn't come for free! The best of all respect is a mutual thing.


Hope this Helps

Maruis
"I sleep at home not on my Job!"

 

[epohl]

SimonDavis,

I understand what you mean completly, there is also going to be HR data as well as corporate data that is of a very sensitive nature. But there are always going to be employees (either IT or HR) that have access to it with the potential to abuse that access. Once again it all goes to trust and good policies. And unfortunately in every group there are going to be those people who abuse that trust.

 

[Kjonnnn]

"Lad" wrote they have to get permission from the user..?

Thats funny.

Like the poster after that stated we're talkn about company stuff. Even if users had "personal folders" I cant think of a reason i need to go into a folder of data. But I DO/MAY need unlimited access to the computer. And i prefer the user not be around standing over my shoulder asking me stupid questions of what Im doing. So some users i ONLY go into their computers with they are away.

So as we beat this dead horse, i guess the answer would be that.... if you have something, like a trade secret, or something sooooo SECRET that absolute no one can see BUT you. U need to keep it offline. But when users start treating their computers like little CIA HQs, it impedes the effectiveness of the IT person. But we as IT personnel need unlimited accessed, cause sometimes when u sit down at a computer you dont know what u may need to do. Keep a private zip disk or CD-RW for your personal stuff.

 

[SimonDavis]

Nothing wrong with a debate, unless you already know everything.

There are things other than porn and details of your next toenail surgery appointment that you might want to keep private.

There are people who will deliberately try to read things you don't want them to. Admins have no barriers whatsoever if they choose to do this, which is the only reason they are specifically mentioned.

There are other ways to store data.

It's a question of choice, isn't it. You would choose to keep yours on a server and backed up on tape. I'm not telling you that's wrong. I choose to keep some of mine on my own media, fully aware that if all 5 of the disks I rotate it on and keep in a fireproof safe were to fail, I'd lose the data. Am I wrong?

You just seemed to be horrified that anybody could possibly doubt the character of any person employed in IT.

Hello ! McFly! . . . thud thud.

 

[TheLad]

Kjonnnn - I am not talking about computers, I am referring to data stored on servers. No data is stored on local computers because if one goes wrong, it takes us 10 minutes to rebuild it.

I am, however, a great believer in the UK Data Protection Act of 1998. It may read like a load of legal mumbo jumbo, but it is there for the protection of both users and administrators.

What you have said in your post Kjonnnn is my interpretation of the sort of person SimonDavis is on about. He states that he is worried about IT Admins snooping at his data (fair enough, it happens), and then you post quoting: "So some users i ONLY go into their computers with they are away". Is this not the attitude we are talking about here?

You may knock my companies way of requesting permission, however we believe in a good relationship with users - users are our customers without whom we would not be employed. For the sake of an email to request access, if it is required to keep a good relationship with our customers then so be it.

Unfortunately SimonDavis is right, there are cowboys out there. However, there are these cowboys at your bank, doctors, and even online grocery store. People take it for granted that their bank information is confidential when there could be someone at the bank browsing your bank account right now. -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[Mturner]

heres a thought. as far as i know the servers that banks run are running NT. they must have to employ admins to run them,so how do they keep the admins out of the things they shouldnt see? there must be a way!

 

[TheLad]

Mturner - having worked in a bank, it is not the Admins you have to worry about. What about the people on the other end of the phone who take your calls and can access your account details by just typing in a bank account number or credit card number? These are the same people who ask you to validate who you are by your date of birth, address, telephone number, and even mothers maiden name.

When I worked for a bank, I supported the collections staff (you know, late payment, get a call from these guys). One of the IT Admin guys I worked with had a credit card with this bank, and when he got a call regarding a late payment, that particular collection staff member took great delight in spreading it amongst the other collection staff. He got a bollocking for breach of privacy - yes - but protecting data from IT Admins in this instance is the least of your worries, trust me - you wouldn't believe some of the things if I told you! -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[mike722]

Time for Bed I think! Goodnight everyone.

 

[SimonDavis]

Anybody mind if I take this thread out the back and shoot it?

 

[TheLad]

As long as I can beat it with a stick first! Or maybe we should all kick ... errr thank raygg for starting us all off!! -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[epohl]

Actually raygg started this post over a year ago, I think we should all thank PerryTorres for stirring the pot and getting it going again 1 year later.

 

[TheLad]

Maybe we should go for a record number of posts???? -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[johncurtis]

Since I'm the NT Admin, who's protecting me from myself?

 

[SimonDavis]

Bill Gates of course.

He protects everything.

I can't run half the software on my machine unless I log off of the network (still trying to sort that little delight out in the Win2k forum).

 

[coboldave]

I'm sorry that this has turned into an ethics discussion, but when it comes down to being able to trust the administrator, it is ethics.

I'm an administrator for a very large company, and I do have the ability to see all. All HR, Accounting, Sales, Correspondance, and yes, Payroll resides on my corporate servers. I do not know what the president makes per year because I have'nt ever looked. Numbers to me are just that, numbers. My job, is to guarantee security, performance, and reliability, and I accept that responsibility as I had signed an oath of alegiance to my company. Administrators must practice ethical behavior as a part of their job. If you can't trust him/her then get them out of the server room.

Though there is not a framed document hanging on my wall stating that I am a member of some sort of bar association like a doctor with a hippocratic oath (maybe there should if one exists)I have taken an oath. Trust or trust not, is that the question?

Dave

 

[TheLad]

Some users like us, some users love us, some users hate us, some user just respect us for the job we do.

Some users despise us, some users are against us, some users are paranoid about us, some users don't even bat an eyelid to us.

-----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[Mturner]

back to the starting question!, how about not useing the Administrator Account unless absoluteley nessesery, dont add anyone to the domain admins group so noone is an admin then create a new group admins for example which allows all the stuff admins needbut not unlimited access to everybodys work areas, (sorry about the spelling hard day and its getting late!)

Marc

 

[TheLad]

Typical Management answer - they just don't have any understanding do they???

Yawn, it is getting late isn't it! -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[dvd1234]

This is my first entry

I have the same problem. My Director says that it is fine that us IT geeks have the rights to see everything. But what about the controlls. I have audited folders that contain sensitive material. What he suggested, (although I am no programmer is to create a script that would send an email to him as soon as an administrator opens up a folder that is under audit. There are not many folders and only him and the finance Director have access to these folders so he would not recieve to much mail. Do u think this possible?

Thnks