Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Protecting data from the NT admin 2

Status
Not open for further replies.

raygg

Technical User
Jun 14, 2000
397
US
I am concerned about the ability of an NT admin to look at sensitive documents without authorization.

Assume a NT workstation user on an NT network properly changes his logon password monthly and reveals it to no one.

If the user creates a sensitive MS Word document and saves it to the workstation Personal folder for the user. Can the NT admin read that file without detection by the user?

I presume the NT admin can assume ownership of an folder - but then the user would be locked out of the folder and thereby detect someone else has accessed the folder.

I also presume the NT admin can copy the folders without detection to another machine on the network, assume ownership control and then read any document. Or can he?
 
How does it help that the MD knows you've read it? Are we talking about 'catching' the admin up to no good (I don't think we are) or preventing the breach in the first place.

In your scenario, you've still read it, even if you get caught.

Anyway, so the MD says to the Admin 'Please write me a script that will tell me when you're breaching security, so I can sack you'.

'OK boss. I'll be sure to write something really secure for you.'

The debate (when I joined it) was the admins saying that the company doesn't have the RIGHT to keep things from them. That's rubbish.

Of course they can read what they like. After all, scripts/permissions whatever, they are normally far more knowledgeable about these than anybody else. If you want a 100% guarantee that they won't read something, keep it physically out of reach.

At the end of the day it's not the Admins choice, it's the companies. I can only assume that the 'how can you possibly think such a thing' camp above are getting out of their prams because they think they own the systems, not run them.

Sorry guys, nobody is doubting you, but if we choose to keep our data elsewhere, it's our choice and risk. It's our data.
 
I can't argue with anything Simon says (there's a song in there somewhere!) Data stored on the system is accessible to the admins. If you don't like this then tough - you should emply admins you trust. If you want to keep data outside the system then fine, but don't complain when it gets lost.
John
 
Heres some more of my 2 cents. What do you IT guys think?

I think non-IT people think confidential stuff is waaay more interesting than those of us who have access to it.

Its like when u were little and having the run of the house the first time you're old enough to be left alone ... after the first time, its just an empty house.
 
I think that data stored on company workstations or company servers is company property. As an employee of the company, you have no right hiding data from anyone, let alone IT Admins. All companies should have a data protection policy (in line with local Data Protection law), and if by storing data inappropriately you are breaking that policy, repercussions for your company could be great.

The scenario that SimonDavis gave earlier in this thread was that in order to stop IT Admins viewing 'his' data, he would store it on his local workstation. With all due respect to SimonDavis, people fail to realise the security risk this can cause. If someone broke into a firm and nicked a workstation with confidential data on it, what would you do? What risk does this pose to your company?

I think this is a great discussion and I respect everybody's view on the subject even if I disagree with that view. I'd just like to say that in every job I have taken, I have had to sign a confidentiality agreement - this agreement includes data protection.
-----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------
 
Im Actually a systems Administrator.

i wouldnt aggree with my idea myself but for people who want to be secure i thought it might come in useful.

Do you think i have management qualities then!?!

Tell my boss!

Marc
 
It's not a good thing Marc..... :) -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------
 
Kjonnn - that's because you don't know what it is. How can you judge?

The fact that you use the word 'interesting' says a lot about your attitude. We're talking about stuff that would be of value to competitors for example, which you probably wouldn't find interesting at all. Let's change that word to 'valuable' and apply your reasoning. Doesn't work.

And directing the question at 'IT guys' - You think you are the only people who can have a valid point of view?

While you're scoffing at this pitiful Non-IT's attempt to argue over something at which you are obviously prodigiously talented (changing tapes, wasn't it?), I designed and ran transcontinental Novell / NT networks for 8 years so while I bow to you, as an 'IT' genius, I have got a vague idea of what it is you do all day.

I'll agree to disagree with everybody else.
 
I cannot believe that not one good idea has come from this forum. This is the situation. Now lets work on it....

Boss comes to you says secure these confidential folders. I want a list of all that open these folders generated to a text file then mailed to me.

What do you say...

"Eh no", or

Yes, there must be some sought of a script that can do this. Although I am an administrator I will find a programmer that might be able to do this...

ARE THERE NO PRORAMMERS ON THIS FORUM???
 
Dang Simon.

I've been dealing with confidential information for 20 years, but before i was in IT i was the assistant to the General Counsel of the largest trade asssociation in the United States .. for 16 years. I had a room full of confidential documents that should they leak into the news airways would be controversal on a nationwide basis, at the least. Only my boss and I had the key to this room. Others always thought it would be soo interesting to go peek into these files, which i could easily do without a leaving a trail. But that was no interest to me. My boss trusted me and didnt want to break that trust.

I stand by my word "interest" in that its "interest" in something that causes one to wanna peek into something they should not.

Lay off the name calling. My post was not based on this forum's posts, but based on MY experience pre-IT and current, which is, Non-IT people seem more interested in confidential items than those of us who handle them everyday. Its not a personal judgement, nor accusation, but an observation.

Im a professional, I know whats sensitive material without someone telling.
 
(hopefully useful) analogy :-

If you have a locked room in your office & you ask your Head of Security to install an alarm that records all access to the room, he'll say "yup - sure, no problem".

However, as he's the one who installed & manages it, he'll probably know how to circumvent it (there's ALWAYS a way ...).

However (2), you (hopefully) trust your HoS not to abuse his position (even though he could).

The only way to secure something from everyone, including the HoS would be to install a safe/lock/alarm that only you have the key/code for.

But, if the object being secured is a 'corporate' item, what happens if you're run over by the proverbial bus? Your company would have to ensure that there was access in this case, so you're back to trusting someone else.

Also, who's to say that YOU can be trusted with access to this secret? LOL

-- Just my 2p (& what an interesting thread!) One by one, the penguins steal my sanity. X-)

 
Hi all

Everybody has a valid point!!!

It all boils down to TRUST. Now the question remains what is trust?

How can you trust someone else if most people can't even trust themself's. This is the worst way of looking at it.

At some point in time society determined that if we want to live together and work together we all needed to trust each other to some point. Now one can trust everybody and burn your fingers or you can trust people to a certain degree.

In any group of people you do get your bad appels. IT is no exception. It is up to every individual to proof his or her worth in any given group.

Hope this Helps

Maruis
"I sleep at home not on my Job!"
 
When your a cop you can speed!!
When your a Sys Admin you can read!!

Theres nothing you can do about it, but have trust in him/her!!

Cheers
 
When your a cop you can speed!!
When your a Sys Admin you can read!!

We rely on police to protect and serve .
The same applies to Admins.

Theres nothing you can do about it, but have trust in him/her!!

Cheers
 
So by your analogy, we shouldn't lock our cars and houses, just leave it to the police to protect them?

99.9% of the time you'd be OK, I guess.

(KJonnn - I was getting a bit wild there, wasn't I? Sorry!).
 
Speaking as an IT admin and as a person as well I think that everydoy here is right and missing the point at the same time... the point is...

On a network nothing is 'access' safe from the admin of this same network... if so the admin is pointless there... right??? why would he be needed if he cannot access here or there to fix the problem??
Discuss the varyous ways of breaking the security on a folder of file is pointless as well. It can be done, and if it is done by an experienced person without tracks.
Is it a moral question??? Sure it is... Is it a professional question??? sure it is... Does the company have a policy against it??? Mostly all of them do...
So, why is this discussion is becoming a nightmare??? because it is all a matter of point of view, wich according to one of the laws in Physics (I don't know who said this...) depends on the referential... If you look as boss you think in a way... if you look as a sneaker, your view is different as well, and obviuosly, if you look as a retarded that thinks that an MCSE is everything you don't have a decent point of view...


hope it helps settle the fire...


 
Man - a simple question gone haywire.

To answer your question WAY at the beginning of this message is simply - NO, you can not prevent a domain admin (or local admin for that fact) from gaining access to your files if you are using NT ACL's - I am the network administrator and I can simply override any settings a user may place on folders or files - end of story.

Yes, I can take ownership of any file or folder I want and leave a trail behind if I wanted or cleanup on my way out.

Yes there are other means such as 3rd party software/tools and depending on the system policies (not computer policies) the network admin has in place will depend if you the user can install the software or not.

As being the network admin - if I wanted to get at your files that bad, I would simply run lophtcrack against my domain SAM file and have your password in anywhere from 3secs to 24 hours depending on your password policy.

As far as the other items that have been brought up about ethics and all of that - that is on a company by company basis as to what a system admin can or cant do.

I will make one note though like everyone else - if you can't trust your network admin - get rid of him.

The policy at our company is - if it is on the company's computer, it's company property and I have access to it. Now the ethics come in - do I look at files that are sensitive or "PERSONAL". No, not unless I am directed to by one of the owners.

Later
Paul

 
Dear Bob! Will nobody tell these people anything?

+ If you store any data in electronic formats it can and quite possibly will be accessed by somebody. OS and security issues aside ...

A crafty sysadmin (or indeed other knowledgeable user) in an NT environment could probably have you pass the data on to him/her without them ever accessing a protected file on your workstation and without triggering audit events or bringing the act of passing on the data to your attention;

Let's look at a network (and I don't mean 'NT admin') admin with a packet analyzer sitting on the LAN monitoring data sent to a printer - encryption is clear and (s)he's simply capturing/reading clear text (printer controls aside;

let's look at any script kiddy with a downloaded bit editor who can read the disk contents and later decipher them or mutilate them.

Dear Bob! If you can't trust your sysadmins fire them; if you're totally paranoid I'd suggest a suitable hospital; if you can't trust yourself to hire people that you can trust: fire yourself!

The best protection against a knowledgeable or privileged user having access to data on any network is the likelihood that sysadmins are likely to be too busy.

btw: Forget wireless! Your snoopy knowledgeable user doesn't even need to connect to your network physically and only needs a laptop with suitable software and to be near your building ...

Aside from busy sysadmins if you really want your data to be free from prying eyes: don't ever put it on a networked machine at all. Keep it on a standalone device in a locked room! There is really no other effective solution - all else is delusion or more accurately protection but remember even condoms fail!

don't worry, be happy, don't worry, be happy, ...
 
Makes me laugh because everybody goes on about IT Admins looking at files, when a potential hacker could easily get a users password by looking over his/her shoulder when they are typing it in.

Some users (not all) are not usually very intelligent when thinking up passwords. For example, a good bet would be the name of their spouse, kids, cat, dog. Then add 01 for January, 02 for February etc...

Then there is the guy that left. Personnel have been informed but not relayed the information to IT so this guys account is still live on the system (bad management and communication). He has given his password to his Manager so the temp that has come in to cover can use his account.

I can see that things have got quite passionate since my last post (I thought MTurner and I were lightening the mood!). Guess I won't say anything to SimonDavis for fear he may track me down ;)

No matter how you work it, as long as your company has a good security policy for both users as well as IT Admins, you have won half the battle. You just need to make sure that you get decent IT Admins in, and get a policy that stops the users putting in guessable passwords every month.

Hey, calm down - sounds like a Government back-stabbing meeting here :( -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top