Announcement

Collapse
No announcement yet.

Securing a share/folder from Admin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing a share/folder from Admin

    Hi
    I have looked into something like this a long time ago but the solution aludes me at the moment.

    I have been asked to look into the following:
    Have a folder on a Windows 2003 file server that is restricted to the HR-Group only (no Domain administrators)

    I know that I can setup the folder and share restrictions to that group. We use the BackupExec and its account would also need access to the files to ensure that the data does get backed up.

    So this comes down to the backup administrators would then be able to see/access the files that they should be restricted to.

    The other option that I was thinking of is using something like PGP product or Truecrypt that would preform container based encryption so that unless you have the encryption key for that container, the backup and restore would be back to a flat file backup so that the contents would not have to be known just have to note that a restore would require a user in that group to unlock and move the file in question.

    Since this is a small group of users (about 6) is there a project/product that would allow for multiple people to access an encrypted container? So that if required the container could be relocated to a new server if needed?

    Thanks

  • #2
    Re: Securing a share/folder from Admin

    Realistically, what do they need to secure
    If it is just some word / excel files, password protection is an option.

    In general, though, if you remove admins from the permissions but leave the System account, most backup software should be able to access the files -- obviously a designated person could restore somewhere else and maybe gain access. I am sure I have done this with backup exec.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Securing a share/folder from Admin

      And removing Domain Admins won't give you a lot of joy since they can override the permissions.
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: Securing a share/folder from Admin

        That is the key fact that if a Admin wanted to they could add themselves. Or being a bit sneaky to just add another user to the list to such a share.

        It all comes down to paranoia, and accountability.

        That would bring up the other option of TrueCrypt style container encryption, just a product that can have multiple users linked to it, if it exists for a small scale users base of only 10 users.

        Comment


        • #5
          Re: Securing a share/folder from Admin

          But if you can't trust the admins, why are they admins in the first place?
          What if something goes wrong and the admin needs to fix it?
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment

          Working...
          X