Protecting data from the NT admin 2

[raygg]

I am concerned about the ability of an NT admin to look at sensitive documents without authorization.

Assume a NT workstation user on an NT network properly changes his logon password monthly and reveals it to no one.

If the user creates a sensitive MS Word document and saves it to the workstation Personal folder for the user. Can the NT admin read that file without detection by the user?

I presume the NT admin can assume ownership of an folder - but then the user would be locked out of the folder and thereby detect someone else has accessed the folder.

I also presume the NT admin can copy the folders without detection to another machine on the network, assume ownership control and then read any document. Or can he?

 

[SimonDavis]

* Don't go into the cellar . . . there's something down there . . . "

I agree about security on the network, of course. And I think you are 100% correct when you point out that users are probably the weakest link in the security chain.

But if I were to go on and on about it, I'd point out that cracking our network wouldn't help because my files aren't on it. Consequently whilst I believe our network is as safe as it can be, and I do trust our admin (who incidentally posted that barking mad message a few lines above) I don't have to worry about it.

(Lad - I just like arguing. If you're ever in deepest darkest South America, give me a yell and I'll buy you a beer)

 

[Kjonnnn]

To Simon....

LOL... Dont worry about it. Its all in a good discusion.

 

[dvd1234]

Is no one listening to me....forget about trust.....

what about control

get with the program. Read my last entry from yesterday

please

 

[TheLad]

Will someone tell dvd1234 to calm down?? Some people just take life too seriously ..... -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[SimonDavis]

As resident diplomat, please allow me . . .

DVD

We did read your posts. It has already been suggested, cogitated and spat out.

Generating a report is not in any way a 'control' over access anyway, it is a report.

 

[FilthPig]

Die thread! DIE! DIE!!! Marc Creviere

 

[TheLad]

"We are gathered here today to witness the death of this thread. May we thank all who has participated in it ..." -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[Mturner]

sorry to break the curfew but IF the management get woried about admins accessing data THEY THEMSELVS or the highest person in the company should be the systems admin, i know its impossible isnt it but if they are that worried about data eing secure they should be the only ones who can see it which means that they would have to be the admin, tough luck i say. i once viewed a file i shouldnt have, i wasnt being sneakey but i was restoreing a file from a backup and the virus scanner didnt like the file, it was a simple 14k word document i scanned it and the scanner moaned but didnt tell me why (typical!) my thery was that the document had a macro in it (lots of problems with macros at the time) so i dumped the file on my standalone test machine and opended it to see if it was, yes it was a macro in the file so i pressed the dissable butten and closed the document but in the bold text at the top there was a warning about job cuts or something like that so i was worried for ages about job cuts, and 2 years later im still here, so i wouldnt even be tempted to look at a file i shouldnt incase it contained something that woried be, i would prefer to here it officially and then worry.

so the point im trying to get accross is the "provate documents" that people try to hide from admins are usally ones that would concern them, so i wouldnt look at them, i would much rather read people argueing in this post!

Marc

 

[dvd1234]

SimonDavies,

Call it what you may. Would you not like a report to show to your superiors when you or some one in your team are suspected.

Its just a control, report, call it what you like. I am trusted here at my job I would hate for that trust to be broken on mere suspect.

Ta

 

[SimonDavis]

Well, I like to call it a report. You like to call it a control, which it isn't.

There are several issues being argued about here;

- Can you stop the admin accessing files on an NT network?(leaving aside whether you need to). Answer seems to be no.

- Should you stop the admin accessing files? The answer seems to be no. (mostly)

- If you are determined to stop the admin accessing the files, can you keep them off of the network? Answer of course is yes, but as the admins point out, it may not be any more secure.

- Does this mean you don't trust the admin? The answer is being debated. It's not the only reason to want to do this. As far as I'm concerned it's a conclusion that's being jumped to.

- If the admin does decide to play about with the files, can you catch him? DVD thinks so. I doubt it.

- In view of the fact that the original post asked whether he could be stopped from accessing files, would it make any difference even if you did have this script? No it wouldn't.

The point is, we're not talking about catching, we're talking about preventing. At least that's what I thought.

 

[TheLad]

Just for the record:

DVD - if there was some sort of reporting tool on my companies network, it would not bother me. If I suddenly had the overwhelming desire to look at some confidential material and realising that an auditing tool was watching my every move, it would take me seconds to devise a way around it without getting caught.

SimonDavies - Beware of new virus outbreaks on computers everywhere, such as...

Oprah Winfrey virus: Your 200MB hard drive suddenly shrinks to 80MB and then slowly expands back to 200MB.

AT&T virus: Every three minutes it tells you what great service you are getting.

MCI virus: Every three minutes it reminds you that you're paying too much for the AT&T virus.

Paul Revere virus: This revolutionary virus does not horse around. It warns you of impending hard disk attack -- once if by LAN, twice if by c:>

Politically Correct virus: Never calls itself a "virus", but instead refers to itself as an "electronic microorganism."

Ross Perot virus: Activates every component in your system, just before the whole dang thing quits.

Arnold Schwarzenegger virus: Terminates and stays resident. It'll be back.

Dan Quayle virus: Prevents your system from spawning any child process without joining into a binary network.

Government Economist virus: Nothing works, but all your diagnostic software says everything is fine.

New World Order virus: Probably harmless, but it makes a lot of people really mad just thinking about it.

Federal Bureaucrat virus: Divides your hard disk into hundreds of little units, each of which does practically nothing, but all of which claim to be the most important part of your computer.

Gallup virus: Sixty percent of the PCs infected will lose 38 percent of their data 14 percent of the time (plus or minus a 3.5 percent margin of error).

Texas virus: Makes sure that it's bigger than any other file.

Adam and Eve virus: Takes a couple of bytes out of your Apple.

Congressional virus: The computer locks up, screen splits erratically with a message appearing on each half blaming the other side for the problem.

Airline virus: You're in Dallas but your data is in Singapore.

Freudian virus: Your computer becomes obsessed with marrying to its own motherboard.

Public Television virus: Your programs stop every few minutes to ask for money.

Elvis virus: Your computer gets fat, slow and lazy, then self distructs only to resurface at shopping malls and service stations across rural America.

Ollie North virus: Causes your printer to become a paper shredder.

Nike virus: Just does it.

Sears virus: Your data won't appear unless you buy new cables, power supply and a set of shocks.

Jimmy Hoffa virus: Your programs can never be found again.

Congressional virus #2: Runs every program on the hard drive simultaneously, but doesn't allow the user to accomplish anything.

Imelda Marcos virus: Sings you a song (slightly off key) on boot up, then subtracts money from your Quicken account and spends it all on expensive shoes it purchases through Prodigy.

Star Trek virus: Invades your system in places where no virus has gone before.

Health Care virus: Tests your system for a day, finds nothing wrong, and sends you a bill for $4,500.

George Bush virus: It starts by boldly stating "Read my docs...No new files!" on the screen. It proceeds to fill up all the free space on your hard drive with new files, then blames it on the Congressional virus.

L.A.P.D. virus: It claims it feels threatened by the other files on your PC and erases them in "self-defense."

Oral Roberts virus: Claims that if you don't send it a million dollars, its programmer will take it back. -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[TheLad]

Sorry, got bored of trying to protect data ... -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[dvd1234]

Okay..point taken...

Thank you all. Silly question though, what do banks do to protect their Data...any ideas?

SimonDavies...good points made.

Lets kill this thread

 

[TheLad]

Banks is a sore subject with me. You see, even the guy or girl on the desk can access anything on the system providing they have an account number. And again, with the imaginative guessing of passwords, data could easily be viewed.

I know of a UK Bank that had a PC nicked from an unsecure part of the ground floor, not too bad you may think. But they ended up having to re-issue over 1 million credit cards because the PC contained credit card numbers of account holders.

Now DVD my friend: NO MORE!!!!! PLEASE????? -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[Kjonnnn]

Secure information on any server is on a "need to know basis" ... so i think if we can get one point out of this dead horse (not sure really, i think i saw a hoof move), no matter HOW secure your system is SOMEBODY, if its only one person, has access to it. You CANT get around that. Now you can monitor access, but for that person who has access if they wanna peek, they can, you can monitor and make the system will tell on them, or they may get fired, but if they wanna peek they will. So it goes back to that word some are gettn sick of.. trust.

Back to clarify a previous point... Its not that an IT person needs to look at sensitive information to work on a workstation or service, but full access to that machine gives the "opportunity", for which some people dont like.

 

[Mturner]

heres how i sort the problem: if someone puts a file thats private on our network which is not in pgp (which i have set up on all the stations so that private information can be kept that way) anyway if its not pgp'd then its there falt if i open in for any reason, i solve this problem by adding this message to the logon screen:

PRIVATE/CONFIDENTIAL MATERIAL MUST NOT BE PLASED ON THE NETWORK, NO UNORTHERISED SOFTWARE IS TO BE USED ON THE NETWORK. YOUR FILES MAY BE ACCESSED BY THE ADMINISTRATOR

i think that covers me

Marc

 

[ejstrom]

I am an admin of 450 users, if it goes on any of the servers under my control then I have access to it. If a user wants to hide something then guess what, as with everything else in this world you "HIDE" things because you are being a sneak. My user policies don't allow "users" to audit, they can zip it closed and password it, and all we have to do is run Locksmith on it and bang it opens and nobody will ever know. With over 56,000 directories and 700,000 documents I don't have time to be nosey. And any Admin worth his weight in salt doesn't either. This is a sore point with me cause it comes up every day at every meeting. And yes after 97 responses it is time to kill this thread

 

[TheLad]

No way, we might as well get at least 100 posts for our sins! -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------

 

[dvd1234]

I agree with TheLAd

Lets get our 100 posts in

Lets get our hands on another thread

ta

 

[TheLad]

Can I just agree with you and say that I agree with the fact that we should attempt to reach the milestone of 100 posts in this particular thread.

In an attempt to reach that milestone, I would like to partake in the posting of this message. -----------------------------------------------------
"It's true, its damn true!"
-----------------------------------------------------