General discussion

Locked

Preventing access to Admins

By ithink2020 ·
The COO of the company has requested that he have a folder on the network (or his local computer), which only he has access to. He is asking the not even Domain Admins be able to access this folder. He does not want to use a program that requires him to type in a password every time he needs to access a file/folder. Also, our network security policy does not allow users to access Internet storage sites.

I have looked at the built-in file encryption in Windows, but Admins can take ownership of files and reset the permissions on the folders. I have also looked into a couple third party programs, but the ones I have looked at require a password every time you want to access the folder you are working with.

Is there a way to block Admins from folders? Or does anyone know of any third party software that will lock down a folder, but once set up, requires no user interaction?

I need an answer ASAP. First person to give an answer that they know works, gets all 1000 points!
Thank you,

Matt Schmitt
IT Tech.

This conversation is currently closed to new comments.

20 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Preventing access to Admins

by DKlippert In reply to Preventing access to Admi ...

Admin is the Alpha dog. They can always take back ownership.
If Admin had no control, there would be no backups.
If the COO does not want passwords, look into the thumbprint dongle. Give them a laptop to keep locked in their safe.

Collapse -

Preventing access to Admins

by ithink2020 In reply to Preventing access to Admi ...

I did look into a thumbprint divice, but recent news shows that they are easy to circumvent. He has a laptop, but if one of the IT staff has to "work" on his computer, then they can look at his files.

Collapse -

Preventing access to Admins

by Ann777 In reply to Preventing access to Admi ...

Why does it have to be on the network if nobody else is to have access?

I recommend that he/she backup these files to floppy, cdr, cdrw, zip, jaz or whatever. There are also usb devices that can hold up to 512 MB ( www.diskonkey.com) that he can secure with his own password, etc.

Collapse -

Preventing access to Admins

by ithink2020 In reply to Preventing access to Admi ...

It doesn't have to be on the server, but we would like it on the server in case his HD crashes. He does have a zip drive, but he is looking for something that he doesn't have to always plug-in or insert when he needs to access these files.

Collapse -

Preventing access to Admins

by artk In reply to Preventing access to Admi ...

PGP personal version 8.0 is a great product. The PGP disk can be created and files can drag and drop in it. No way to crack it yet. Even though it is not a usual practice, change the setting to cache his passphrase for as long as he is on the network, and advise to secure he PC when not at it. (Options - Single sign on - set the time). He will have to type the passphrase once a day if machine stays logged in.

Collapse -

Preventing access to Admins

by ithink2020 In reply to Preventing access to Admi ...

The question was auto-closed by TechRepublic

Collapse -

Preventing access to Admins

by shmaltz In reply to Preventing access to Admi ...

artk syas he has the answer, well I belive you don't need anything else. But I decided to write this since this question is being asked every so often. Security and convenience don't get along, if he wants something without a password (which means no windows security, but a 3rd party solution) then the admin will always have access to it. You are forced to trust your admin, of course this also means that you have to research the admins background before you hire him/her. There should be no reason why a boss shouldn't trust his/her admin, if your boss is paranoid then tell your boss, you where not hired to deal with his paranoia, paranoia also means giving up alot of convinient things in live, otherwise someone with a case of paranoia wouldnever go for treatments. By locking out the admin completely (of course anyone doing so will claim security) you defete the purpose of security. One suggestion I once saw about paranoid bosses was that the password of the admin is devided in 2 and 2admins have share on half of it, that way you can only log on with the other admin. Of course this also means if the other admin is on vacation and the network is down, that you have to terminate the other admins vacation (usually not a good idea since the admin can try to do something in return for the boss, and in most cases the admin has the power to render a boss powerless, another reason you have to trust your admin).

Collapse -

Preventing access to Admins

by shmaltz In reply to Preventing access to Admi ...

A computer is only a machine, it will always follow instructions, unlike ppl that will do as they desire. Do secure a computer like your boss wants means not using the computer (or at least not have it connected to the network), since somone with enough knowledge about computers can always get in if he has access to the machine (I don't mean thru the network here).

Collapse -

Preventing access to Admins

by ithink2020 In reply to Preventing access to Admi ...

Thank you for the coments, but this didn't help.

Collapse -

Preventing access to Admins

by Pokhylchenko In reply to Preventing access to Admi ...

Realy good question, though a rather weird task.

Get him Linux (or *BSD) with samba, "security=server". That will protect his precious folder. For his routine work with publicly accessed documents get him some Citrix Metaframe client for acces tosome of your NT4TSE or 2K with Office (or get him rdesktop if he wants it free).

IMHO, there are no ways of being in domain only by means of M$ and to have something 100% protected from admin's access.

Back to Networks Forum
20 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums