Protecting data from the NT admin 2

[raygg]

I am concerned about the ability of an NT admin to look at sensitive documents without authorization.

Assume a NT workstation user on an NT network properly changes his logon password monthly and reveals it to no one.

If the user creates a sensitive MS Word document and saves it to the workstation Personal folder for the user. Can the NT admin read that file without detection by the user?

I presume the NT admin can assume ownership of an folder - but then the user would be locked out of the folder and thereby detect someone else has accessed the folder.

I also presume the NT admin can copy the folders without detection to another machine on the network, assume ownership control and then read any document. Or can he?

 

[ayjaycee]

I can't believe we're racing for post 100 ;-) One by one, the penguins steal my sanity. X-)

http://www.tanda.f2s.com

 

[Maruis]

Well POST 101

Lets leave the user's and managers to argue over whether we should or could access files.

In the meantime let us do our jobs to the best of our ability!!!

Have fun!!! Hope this Helps

Maruis
"I sleep at home not on my Job!"

 

[jmcgregor]

If the partition on the nt workstation is formatted as NTFS and all other permissions have been removed except for the user in question, the administrator will not be able to copy the file or read it. Furthermore without the advanced "list" permission he won't even be able to see the folder that contains the files. However he can take ownership(if he can't see the folder he can take ownership of a higher level folder or entire drive he can see and apply ownership to all child objects then reset permissions on all child objects. There is a catch though. He can't give ownership back to the user, therefore the ownership will show up as "Administrators" group and therefore the user will know that the Administrator has taken ownership. On NT4 the actual member of the administrators group that took ownership will not be revealed without setting up auditing.
Hope that helps!
John McGregor MCSEnt4,MSCEwin2k,CCNA

 

[Mturner]

ill probally get kicked off for this but anyone remember this post! its been a long time hasnt it! wow december 7 2000! wow some people even posted on christmas day! sweet memorys of old times!. Marc Turner
Network Manager

E-Mail: Mturner@turnerm3.fsnet.co.uk

 

[bpvwebdesigns]

Hello,

My suggestion would be to purchase a laptop. You own it and can bring it into work to work on YOUR sensitive data. As an NT sysadmin I have the full rights to anything wired to the network. If you buy a laptop and never put it on the network it is secure from a sysadmin. Also if you are an admin use the LogonMsg settings in the registry to MAKE the user agree to the policy before they login.

As is has been said before, keep personal data of of your corprate networks, email, and terminals.

Also a correction to the post above about a monitoring tool:

TUCOWS no longer hosts the file 007starr

You can get a copy by right clicking this link and selecting "save target as"

http://www.filelibrary.com:8080/cgi-bin/freedownload/Windows/q/126/007starr.exe

** YOU CAN ONLY INTALL SOFTWARE IF THE ADMIN LETS YOU **

I think this thread is done, put a fork in it.

Good day /night to all here @ Tek-Tips ___________________________________________________

Brian Velkavrh
Sr. Consultant - BPV Webdesigns

http://www.bpvwebdesigns.com

Network+ Certified Engineer

 

[SimonDavis]

bump!