restrict folder access from admin?

  • Thread starter Thread starter Ron Wagner
  • Start date Start date
R

Ron Wagner

I need to be able to have a shared directory that is only accessible by a
few users. The directory will hold company sensitive material that should
not be visible to the net-admin. Is this possible?

I tried specifically allowing a group and setting domain admin to deny
access, yet the Administrator account from the server was still able to take
ownership and thereby gain access to the directory. Where did I go wrong?

The directory is on a server computer (can't remember what OS but I think
its win2k) and the disk is formatted NTFS.
 
Ron Wagner said:
I need to be able to have a shared directory that is only accessible by a
few users. The directory will hold company sensitive material that should
not be visible to the net-admin. Is this possible?

I tried specifically allowing a group and setting domain admin to deny
access, yet the Administrator account from the server was still able to
take
ownership and thereby gain access to the directory. Where did I go wrong?

The directory is on a server computer (can't remember what OS but I think
its win2k) and the disk is formatted NTFS.
Click to expand...

It is not possible to lock an administrator out. By definition, an
administrator can get into anything. Your best bet is to put this on a
server that the Domain Admins do not have admin rights to (this would
generally mean a standalone server that is not part of the domain.)
 
What do organizations do that need very tight compartimentialized security
(e.g. government classified)? Does the administrator have to be cleared for
all access?
 
Ron Wagner said:
What do organizations do that need very tight compartimentialized security
(e.g. government classified)? Does the administrator have to be cleared
for
all access?
Click to expand...

Generally, yes the network admin staff for a sensitive network would have a
very high clearance (high enough for any info that is being stored there.)
Remember... if the admin has keys to the server room, he can bypass ANY type
of computer based access controls. And this may in fact be necessary and
legitimate if he has to fix something.

Encryption is an option... Windows has that feature built in but a domain
admin could recover it. You have to be careful about locking too many
people out via encryption or you might lose access completely. (Think of a
scenario where only two people have access to the critical files. They are
in a car together and die in a horrible accident. Now nobody can get that
info and the company goes bankrupt.)
 
Back
Top