Sign in with
Sign up | Sign in
Your question

How can I get access to files and folders on my portable d..

Last response: in Windows XP
Share
Anonymous
a b 8 Security
July 12, 2005 3:46:38 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Hello
How can I get access to my files and folders on my portable drive on other
computers? I do not want to give access to a Windows XP group because I
don't want
Administrators of our domain have direct access to my files on the drive.
They will not take ownership because I will see the taking. I want to get
access by a password.
Anonymous
a b 8 Security
July 12, 2005 3:46:39 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Still struggling with this hey Dmitry ?

Since you cannot install anything on the machines where this
will be used, you really need to just use NTFS.

To get it set up you will for a while have to have a grant to a
built-in group, like Users, unless you can log in as an admin on
each machine where use is needed.
1. set full control for Users on the external NTFS
then on each system where it will be used
2. set full grant to the account used on that system
when doing this
2a. the grants to accounts from other systems are known only
on the other systems and so will show up as SID strings or
as Unknown - leave them alone.
3. when you set the grant to the last account, on the last system
where this will be used, remove the grant of Full to Users
that was only needed in order to be able to make the grants
to the specific users
Whatever temporary group, like Users above, used to build
up the desired permissions must be understood on each system
so it must be a builtin group that will include the account you
log in with on each system.

--
Roger Abell
Microsoft MVP (Windows Security)

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
> Hello
> How can I get access to my files and folders on my portable drive on other
> computers? I do not want to give access to a Windows XP group because I
> don't want
> Administrators of our domain have direct access to my files on the drive.
> They will not take ownership because I will see the taking. I want to get
> access by a password.
>
Anonymous
a b 8 Security
July 12, 2005 3:46:39 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
> Hello
> How can I get access to my files and folders on my portable drive on
> other computers? I do not want to give access to a Windows XP group
> because I don't want
> Administrators of our domain have direct access to my files on the
> drive. They will not take ownership because I will see the taking. I
> want to get access by a password.

Roger's reply re NTFS is correct. However, if you're trying to bypass your
network admins, and you are not officially one yourself, I can't help you.
If the data isn't supposed to be on your computer/on the network, don't do
it.
Related resources
Anonymous
a b 8 Security
July 12, 2005 11:16:33 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Use a 3rd-party security/encryption software - needs to be installed on each
computer where you're using your drive

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
> Hello
> How can I get access to my files and folders on my portable drive on other
> computers? I do not want to give access to a Windows XP group because I
> don't want
> Administrators of our domain have direct access to my files on the drive.
> They will not take ownership because I will see the taking. I want to get
> access by a password.
>
Anonymous
a b 8 Security
July 12, 2005 11:16:34 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Owners of computers could not allow installing the software on their
computers. Can't I use Windows for a password protected access?
"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:eAhfvJshFHA.2424@TK2MSFTNGP09.phx.gbl...
> Use a 3rd-party security/encryption software - needs to be installed on
> each
> computer where you're using your drive
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
>> Hello
>> How can I get access to my files and folders on my portable drive on
>> other
>> computers? I do not want to give access to a Windows XP group because I
>> don't want
>> Administrators of our domain have direct access to my files on the drive.
>> They will not take ownership because I will see the taking. I want to get
>> access by a password.
>>
>
>
Anonymous
a b 8 Security
July 13, 2005 3:26:21 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:eXGo3VvhFHA.2152@TK2MSFTNGP14.phx.gbl...
>
>
> In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
> Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
> > Hello
> > How can I get access to my files and folders on my portable drive on
> > other computers? I do not want to give access to a Windows XP group
> > because I don't want
> > Administrators of our domain have direct access to my files on the
> > drive. They will not take ownership because I will see the taking. I
> > want to get access by a password.
>
> Roger's reply re NTFS is correct. However, if you're trying to bypass your
> network admins, and you are not officially one yourself, I can't help you.
> If the data isn't supposed to be on your computer/on the network, don't do
> it.
>


Hey, I thought he just wanted to have the pix of the sig-other around
but beyond network admin eyes :) 
--
Roger
Anonymous
a b 8 Security
July 13, 2005 9:11:01 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Thanks for your reply, Roger.
Thus, I have to give the Full grants to the Users group each time there is a
smallest possibility I might need my portable drive contents on any other
Windows NT and remove the grant of Full to Users each time I come back to my
domain Windows XP. I will have to give and remove Full grants too often and
it will take too much time.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
> Still struggling with this hey Dmitry ?
>
> Since you cannot install anything on the machines where this
> will be used, you really need to just use NTFS.
>
> To get it set up you will for a while have to have a grant to a
> built-in group, like Users, unless you can log in as an admin on
> each machine where use is needed.
> 1. set full control for Users on the external NTFS
> then on each system where it will be used
> 2. set full grant to the account used on that system
> when doing this
> 2a. the grants to accounts from other systems are known only
> on the other systems and so will show up as SID strings or
> as Unknown - leave them alone.
> 3. when you set the grant to the last account, on the last system
> where this will be used, remove the grant of Full to Users
> that was only needed in order to be able to make the grants
> to the specific users
> Whatever temporary group, like Users above, used to build
> up the desired permissions must be understood on each system
> so it must be a builtin group that will include the account you
> log in with on each system.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
>> Hello
>> How can I get access to my files and folders on my portable drive on
>> other
>> computers? I do not want to give access to a Windows XP group because I
>> don't want
>> Administrators of our domain have direct access to my files on the drive.
>> They will not take ownership because I will see the taking. I want to get
>> access by a password.
>>
>
>
Anonymous
a b 8 Security
July 13, 2005 9:19:16 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Why do you think the data isn't supposed to be on my computer? Our Admin
just keeps the network working, they are not supposed to see all the
commercial data that other specialists possess.
"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:eXGo3VvhFHA.2152@TK2MSFTNGP14.phx.gbl...
>
>
> In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
> Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
>> Hello
>> How can I get access to my files and folders on my portable drive on
>> other computers? I do not want to give access to a Windows XP group
>> because I don't want
>> Administrators of our domain have direct access to my files on the
>> drive. They will not take ownership because I will see the taking. I
>> want to get access by a password.
>
> Roger's reply re NTFS is correct. However, if you're trying to bypass your
> network admins, and you are not officially one yourself, I can't help you.
> If the data isn't supposed to be on your computer/on the network, don't do
> it.
>
Anonymous
a b 8 Security
July 13, 2005 9:19:17 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

In article <#hfE616hFHA.720@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
says...
> Why do you think the data isn't supposed to be on my computer? Our Admin
> just keeps the network working, they are not supposed to see all the
> commercial data that other specialists possess.

You are wrong, the network admin can and will be able to see all data on
the network, if you don't trust the network admin then you need to get a
new one.

It really seems like you're doing something you don't need to be doing
and that you feel you have a reason to hide.



> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
> news:eXGo3VvhFHA.2152@TK2MSFTNGP14.phx.gbl...
> >
> >
> > In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
> > Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
> >> Hello
> >> How can I get access to my files and folders on my portable drive on
> >> other computers? I do not want to give access to a Windows XP group
> >> because I don't want
> >> Administrators of our domain have direct access to my files on the
> >> drive. They will not take ownership because I will see the taking. I
> >> want to get access by a password.
> >
> > Roger's reply re NTFS is correct. However, if you're trying to bypass your
> > network admins, and you are not officially one yourself, I can't help you.
> > If the data isn't supposed to be on your computer/on the network, don't do
> > it.
> >
>
>

--
--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
July 13, 2005 9:21:33 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

I can log in as an admin on each machine where use is needed.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
> Still struggling with this hey Dmitry ?
>
> Since you cannot install anything on the machines where this
> will be used, you really need to just use NTFS.
>
> To get it set up you will for a while have to have a grant to a
> built-in group, like Users, unless you can log in as an admin on
> each machine where use is needed.
> 1. set full control for Users on the external NTFS
> then on each system where it will be used
> 2. set full grant to the account used on that system
> when doing this
> 2a. the grants to accounts from other systems are known only
> on the other systems and so will show up as SID strings or
> as Unknown - leave them alone.
> 3. when you set the grant to the last account, on the last system
> where this will be used, remove the grant of Full to Users
> that was only needed in order to be able to make the grants
> to the specific users
> Whatever temporary group, like Users above, used to build
> up the desired permissions must be understood on each system
> so it must be a builtin group that will include the account you
> log in with on each system.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
>> Hello
>> How can I get access to my files and folders on my portable drive on
>> other
>> computers? I do not want to give access to a Windows XP group because I
>> don't want
>> Administrators of our domain have direct access to my files on the drive.
>> They will not take ownership because I will see the taking. I want to get
>> access by a password.
>>
>
>
Anonymous
a b 8 Security
July 13, 2005 9:24:41 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Some of the machines where use is needed are Windows XP Home.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
> Still struggling with this hey Dmitry ?
>
> Since you cannot install anything on the machines where this
> will be used, you really need to just use NTFS.
>
> To get it set up you will for a while have to have a grant to a
> built-in group, like Users, unless you can log in as an admin on
> each machine where use is needed.
> 1. set full control for Users on the external NTFS
> then on each system where it will be used
> 2. set full grant to the account used on that system
> when doing this
> 2a. the grants to accounts from other systems are known only
> on the other systems and so will show up as SID strings or
> as Unknown - leave them alone.
> 3. when you set the grant to the last account, on the last system
> where this will be used, remove the grant of Full to Users
> that was only needed in order to be able to make the grants
> to the specific users
> Whatever temporary group, like Users above, used to build
> up the desired permissions must be understood on each system
> so it must be a builtin group that will include the account you
> log in with on each system.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
>> Hello
>> How can I get access to my files and folders on my portable drive on
>> other
>> computers? I do not want to give access to a Windows XP group because I
>> don't want
>> Administrators of our domain have direct access to my files on the drive.
>> They will not take ownership because I will see the taking. I want to get
>> access by a password.
>>
>
>
Anonymous
a b 8 Security
July 13, 2005 9:44:25 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

so you could use Administrators instead of Users

--
Roger

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:uvSVy36hFHA.3912@tk2msftngp13.phx.gbl...
> I can log in as an admin on each machine where use is needed.
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
> > Still struggling with this hey Dmitry ?
> >
> > Since you cannot install anything on the machines where this
> > will be used, you really need to just use NTFS.
> >
> > To get it set up you will for a while have to have a grant to a
> > built-in group, like Users, unless you can log in as an admin on
> > each machine where use is needed.
> > 1. set full control for Users on the external NTFS
> > then on each system where it will be used
> > 2. set full grant to the account used on that system
> > when doing this
> > 2a. the grants to accounts from other systems are known only
> > on the other systems and so will show up as SID strings or
> > as Unknown - leave them alone.
> > 3. when you set the grant to the last account, on the last system
> > where this will be used, remove the grant of Full to Users
> > that was only needed in order to be able to make the grants
> > to the specific users
> > Whatever temporary group, like Users above, used to build
> > up the desired permissions must be understood on each system
> > so it must be a builtin group that will include the account you
> > log in with on each system.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> >
> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> > news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
> >> Hello
> >> How can I get access to my files and folders on my portable drive on
> >> other
> >> computers? I do not want to give access to a Windows XP group because I
> >> don't want
> >> Administrators of our domain have direct access to my files on the
drive.
> >> They will not take ownership because I will see the taking. I want to
get
> >> access by a password.
> >>
> >
> >
>
Anonymous
a b 8 Security
July 13, 2005 9:46:50 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:o ds6Tx6hFHA.2156@TK2MSFTNGP14.phx.gbl...
> Thanks for your reply, Roger.
> Thus, I have to give the Full grants to the Users group each time there is
a
> smallest possibility I might need my portable drive contents on any other
> Windows NT and remove the grant of Full to Users each time I come back to
my
> domain Windows XP. I will have to give and remove Full grants too often
and
> it will take too much time.

Then you will need to find another way.
There is no way to add a new account into the NTFS permissions
except by using an account with the permission to alter permissions.
So, you need to know you will be going to a new machine before
you leave to go there. When there, add the account that will be used
on that machine and remove the Full grant to Users (or Administrators).
There just is not an alternative that is within Windows.

> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
> > Still struggling with this hey Dmitry ?
> >
> > Since you cannot install anything on the machines where this
> > will be used, you really need to just use NTFS.
> >
> > To get it set up you will for a while have to have a grant to a
> > built-in group, like Users, unless you can log in as an admin on
> > each machine where use is needed.
> > 1. set full control for Users on the external NTFS
> > then on each system where it will be used
> > 2. set full grant to the account used on that system
> > when doing this
> > 2a. the grants to accounts from other systems are known only
> > on the other systems and so will show up as SID strings or
> > as Unknown - leave them alone.
> > 3. when you set the grant to the last account, on the last system
> > where this will be used, remove the grant of Full to Users
> > that was only needed in order to be able to make the grants
> > to the specific users
> > Whatever temporary group, like Users above, used to build
> > up the desired permissions must be understood on each system
> > so it must be a builtin group that will include the account you
> > log in with on each system.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> >
> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> > news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
> >> Hello
> >> How can I get access to my files and folders on my portable drive on
> >> other
> >> computers? I do not want to give access to a Windows XP group because I
> >> don't want
> >> Administrators of our domain have direct access to my files on the
drive.
> >> They will not take ownership because I will see the taking. I want to
get
> >> access by a password.
> >>
> >
> >
>
Anonymous
a b 8 Security
July 13, 2005 10:17:57 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

I am obviously not into the politics of why you want to keep info
secured from your larger environment (net admins).
Your problem seems to be that you need the info transportable
between too many systems that are in different domains and/or
workgroups to make it simple to set up.
We did not address using EFS in addition to NTFS security,
and but for your mention of an XP Home system could have.

I can understand both how one's business model would benefit
from having a well-respected, and motivated, member providing
the computing infrastructure needs.
I can also understand how a small group with some shared office
capabilities would be content with an easily replaced support
person. However, in that case one should have someone that
does watch out for the over-all well-being of the organization
with regards to its computing infrastructure.

From all you have said about the reasons for seeking to secure
info in this way, it does sound to me that you would be better
off not having any domain structure (in which the net admin
can roam about).

--
Roger Abell
Microsoft MVP (Windows Security)

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:%23hfE616hFHA.720@TK2MSFTNGP14.phx.gbl...
> Why do you think the data isn't supposed to be on my computer? Our Admin
> just keeps the network working, they are not supposed to see all the
> commercial data that other specialists possess.
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
message
> news:eXGo3VvhFHA.2152@TK2MSFTNGP14.phx.gbl...
> >
> >
> > In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
> > Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
> >> Hello
> >> How can I get access to my files and folders on my portable drive on
> >> other computers? I do not want to give access to a Windows XP group
> >> because I don't want
> >> Administrators of our domain have direct access to my files on the
> >> drive. They will not take ownership because I will see the taking. I
> >> want to get access by a password.
> >
> > Roger's reply re NTFS is correct. However, if you're trying to bypass
your
> > network admins, and you are not officially one yourself, I can't help
you.
> > If the data isn't supposed to be on your computer/on the network, don't
do
> > it.
> >
>
Anonymous
a b 8 Security
July 13, 2005 10:22:22 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Only General manager is supposed to see all the information. But he will not
administrate the network himself of course. General manager has even a
second computer separate from the Admins network to keep information
securely. Our Admin is two times younger than most of our specialists and
has only computer education and is not devoted to our business as the
General manager is. A company can never take just a computer specialist into
it's confidence, can never entrust all its commercial information to him.
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d3eea582772e4b9899d7@news-server.columbus.rr.com...
> In article <#hfE616hFHA.720@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
> says...
>> Why do you think the data isn't supposed to be on my computer? Our Admin
>> just keeps the network working, they are not supposed to see all the
>> commercial data that other specialists possess.
>
> You are wrong, the network admin can and will be able to see all data on
> the network, if you don't trust the network admin then you need to get a
> new one.
>
> It really seems like you're doing something you don't need to be doing
> and that you feel you have a reason to hide.
>
>
>
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>> message
>> news:eXGo3VvhFHA.2152@TK2MSFTNGP14.phx.gbl...
>> >
>> >
>> > In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
>> > Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
>> >> Hello
>> >> How can I get access to my files and folders on my portable drive on
>> >> other computers? I do not want to give access to a Windows XP group
>> >> because I don't want
>> >> Administrators of our domain have direct access to my files on the
>> >> drive. They will not take ownership because I will see the taking. I
>> >> want to get access by a password.
>> >
>> > Roger's reply re NTFS is correct. However, if you're trying to bypass
>> > your
>> > network admins, and you are not officially one yourself, I can't help
>> > you.
>> > If the data isn't supposed to be on your computer/on the network, don't
>> > do
>> > it.
>> >
>>
>>
>
> --
> --
> spam999free@rrohio.com
> remove 999 in order to email me
Anonymous
a b 8 Security
July 13, 2005 10:22:23 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:o C%23sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl...
> Only General manager is supposed to see all the information. But he will
> not administrate the network himself of course. General manager has even a
> second computer separate from the Admins network to keep information
> securely. Our Admin is two times younger than most of our specialists and
> has only computer education and is not devoted to our business as the
> General manager is. A company can never take just a computer specialist
> into it's confidence, can never entrust all its commercial information to
> him.

As others have pointed out you need to rethink your business model when it
comes to computers. With today's technology the network administrator will
potentially have access to everything. You can use auditing to see what has
been done but it's pretty hard to stop it from being done. The only way I
know to get around this is to keep data that sensitive on a computer not
connected to the LAN or use 3rd party encryption software.

Kerry


> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d3eea582772e4b9899d7@news-server.columbus.rr.com...
>> In article <#hfE616hFHA.720@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
>> says...
>>> Why do you think the data isn't supposed to be on my computer? Our Admin
>>> just keeps the network working, they are not supposed to see all the
>>> commercial data that other specialists possess.
>>
>> You are wrong, the network admin can and will be able to see all data on
>> the network, if you don't trust the network admin then you need to get a
>> new one.
>>
>> It really seems like you're doing something you don't need to be doing
>> and that you feel you have a reason to hide.
>>
>>
>>
>>> "Lanwench [MVP - Exchange]"
>>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>>> message
>>> news:eXGo3VvhFHA.2152@TK2MSFTNGP14.phx.gbl...
>>> >
>>> >
>>> > In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
>>> > Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
>>> >> Hello
>>> >> How can I get access to my files and folders on my portable drive on
>>> >> other computers? I do not want to give access to a Windows XP group
>>> >> because I don't want
>>> >> Administrators of our domain have direct access to my files on the
>>> >> drive. They will not take ownership because I will see the taking. I
>>> >> want to get access by a password.
>>> >
>>> > Roger's reply re NTFS is correct. However, if you're trying to bypass
>>> > your
>>> > network admins, and you are not officially one yourself, I can't help
>>> > you.
>>> > If the data isn't supposed to be on your computer/on the network,
>>> > don't do
>>> > it.
>>> >
>>>
>>>
>>
>> --
>> --
>> spam999free@rrohio.com
>> remove 999 in order to email me
>
Anonymous
a b 8 Security
July 13, 2005 10:22:23 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
says...
> Only General manager is supposed to see all the information. But he will not
> administrate the network himself of course. General manager has even a
> second computer separate from the Admins network to keep information
> securely. Our Admin is two times younger than most of our specialists and
> has only computer education and is not devoted to our business as the
> General manager is. A company can never take just a computer specialist into
> it's confidence, can never entrust all its commercial information to him.

You are COMPLETELY WRONG. A good network admin will be vested in the
company with all their heart and desire. They will always look to
protect the network and it's data. They have full access to everything
by default and can take ownership of anything they want. If you don't
trust the Admin then you are in a bad spot, as the Admin can do many
things without you even finding out about it.

Now, to protect you against an rogue Admin, you need a second Admin that
is used to check the other admin - in fact, both check each other for
doing things that should not be done. Both Admins have full access to
all resources, it's the nature of the networks.

If you don't want an Admin to have access, then setup another network,
managed by someone you trust at the moment, and don't give the Admin any
access to it.

In every company I've worked for or designed the network for, the Admin
group (sometimes 1 person, but normally more than 1) has full access to
all resources, even if they don't use them.

If the Admin can't reach all resources, then they can't properly do
their job - which is Network security, Resource Protection, support of
users, disaster recovery planning and testing, and monitoring for
unapproved activity (yea, there are more).


--
--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
July 14, 2005 3:31:34 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Thanks Roger.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:o Kipz1AiFHA.320@TK2MSFTNGP09.phx.gbl...
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:o ds6Tx6hFHA.2156@TK2MSFTNGP14.phx.gbl...
>> Thanks for your reply, Roger.
>> Thus, I have to give the Full grants to the Users group each time there
>> is
> a
>> smallest possibility I might need my portable drive contents on any other
>> Windows NT and remove the grant of Full to Users each time I come back to
> my
>> domain Windows XP. I will have to give and remove Full grants too often
> and
>> it will take too much time.
>
> Then you will need to find another way.
> There is no way to add a new account into the NTFS permissions
> except by using an account with the permission to alter permissions.
> So, you need to know you will be going to a new machine before
> you leave to go there. When there, add the account that will be used
> on that machine and remove the Full grant to Users (or Administrators).
> There just is not an alternative that is within Windows.
>
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
>> > Still struggling with this hey Dmitry ?
>> >
>> > Since you cannot install anything on the machines where this
>> > will be used, you really need to just use NTFS.
>> >
>> > To get it set up you will for a while have to have a grant to a
>> > built-in group, like Users, unless you can log in as an admin on
>> > each machine where use is needed.
>> > 1. set full control for Users on the external NTFS
>> > then on each system where it will be used
>> > 2. set full grant to the account used on that system
>> > when doing this
>> > 2a. the grants to accounts from other systems are known only
>> > on the other systems and so will show up as SID strings or
>> > as Unknown - leave them alone.
>> > 3. when you set the grant to the last account, on the last system
>> > where this will be used, remove the grant of Full to Users
>> > that was only needed in order to be able to make the grants
>> > to the specific users
>> > Whatever temporary group, like Users above, used to build
>> > up the desired permissions must be understood on each system
>> > so it must be a builtin group that will include the account you
>> > log in with on each system.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Security)
>> >
>> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> > news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
>> >> Hello
>> >> How can I get access to my files and folders on my portable drive on
>> >> other
>> >> computers? I do not want to give access to a Windows XP group because
>> >> I
>> >> don't want
>> >> Administrators of our domain have direct access to my files on the
> drive.
>> >> They will not take ownership because I will see the taking. I want to
> get
>> >> access by a password.
>> >>
>> >
>> >
>>
>
>
Anonymous
a b 8 Security
July 14, 2005 3:34:21 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Yes, but this does not prevent domain administrators from seeing my folders
and files.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:uZkJd0AiFHA.3064@TK2MSFTNGP15.phx.gbl...
> so you could use Administrators instead of Users
>
> --
> Roger
>
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:uvSVy36hFHA.3912@tk2msftngp13.phx.gbl...
>> I can log in as an admin on each machine where use is needed.
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
>> > Still struggling with this hey Dmitry ?
>> >
>> > Since you cannot install anything on the machines where this
>> > will be used, you really need to just use NTFS.
>> >
>> > To get it set up you will for a while have to have a grant to a
>> > built-in group, like Users, unless you can log in as an admin on
>> > each machine where use is needed.
>> > 1. set full control for Users on the external NTFS
>> > then on each system where it will be used
>> > 2. set full grant to the account used on that system
>> > when doing this
>> > 2a. the grants to accounts from other systems are known only
>> > on the other systems and so will show up as SID strings or
>> > as Unknown - leave them alone.
>> > 3. when you set the grant to the last account, on the last system
>> > where this will be used, remove the grant of Full to Users
>> > that was only needed in order to be able to make the grants
>> > to the specific users
>> > Whatever temporary group, like Users above, used to build
>> > up the desired permissions must be understood on each system
>> > so it must be a builtin group that will include the account you
>> > log in with on each system.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Security)
>> >
>> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> > news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
>> >> Hello
>> >> How can I get access to my files and folders on my portable drive on
>> >> other
>> >> computers? I do not want to give access to a Windows XP group because
>> >> I
>> >> don't want
>> >> Administrators of our domain have direct access to my files on the
> drive.
>> >> They will not take ownership because I will see the taking. I want to
> get
>> >> access by a password.
>> >>
>> >
>> >
>>
>
>
Anonymous
a b 8 Security
July 14, 2005 3:34:22 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Neither does use of Users
Remember, the grant is only needed while defining a new
specific user grant, and you certainly could have the network
wire disconnected during that time.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:o NK%230ZEiFHA.1416@TK2MSFTNGP09.phx.gbl...
> Yes, but this does not prevent domain administrators from seeing my
folders
> and files.
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:uZkJd0AiFHA.3064@TK2MSFTNGP15.phx.gbl...
> > so you could use Administrators instead of Users
> >
> > --
> > Roger
> >
> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> > news:uvSVy36hFHA.3912@tk2msftngp13.phx.gbl...
> >> I can log in as an admin on each machine where use is needed.
> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
> >> > Still struggling with this hey Dmitry ?
> >> >
> >> > Since you cannot install anything on the machines where this
> >> > will be used, you really need to just use NTFS.
> >> >
> >> > To get it set up you will for a while have to have a grant to a
> >> > built-in group, like Users, unless you can log in as an admin on
> >> > each machine where use is needed.
> >> > 1. set full control for Users on the external NTFS
> >> > then on each system where it will be used
> >> > 2. set full grant to the account used on that system
> >> > when doing this
> >> > 2a. the grants to accounts from other systems are known only
> >> > on the other systems and so will show up as SID strings or
> >> > as Unknown - leave them alone.
> >> > 3. when you set the grant to the last account, on the last system
> >> > where this will be used, remove the grant of Full to Users
> >> > that was only needed in order to be able to make the grants
> >> > to the specific users
> >> > Whatever temporary group, like Users above, used to build
> >> > up the desired permissions must be understood on each system
> >> > so it must be a builtin group that will include the account you
> >> > log in with on each system.
> >> >
> >> > --
> >> > Roger Abell
> >> > Microsoft MVP (Windows Security)
> >> >
> >> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> >> > news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
> >> >> Hello
> >> >> How can I get access to my files and folders on my portable drive on
> >> >> other
> >> >> computers? I do not want to give access to a Windows XP group
because
> >> >> I
> >> >> don't want
> >> >> Administrators of our domain have direct access to my files on the
> > drive.
> >> >> They will not take ownership because I will see the taking. I want
to
> > get
> >> >> access by a password.
> >> >>
> >> >
> >> >
> >>
> >
> >
>
Anonymous
a b 8 Security
July 14, 2005 3:43:07 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Our domain is needed for our women usually and Windows XP illiterate workers
who can not administer their Windows XP themselves.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23bCDMHBiFHA.3164@TK2MSFTNGP15.phx.gbl...
>I am obviously not into the politics of why you want to keep info
> secured from your larger environment (net admins).
> Your problem seems to be that you need the info transportable
> between too many systems that are in different domains and/or
> workgroups to make it simple to set up.
> We did not address using EFS in addition to NTFS security,
> and but for your mention of an XP Home system could have.
>
> I can understand both how one's business model would benefit
> from having a well-respected, and motivated, member providing
> the computing infrastructure needs.
> I can also understand how a small group with some shared office
> capabilities would be content with an easily replaced support
> person. However, in that case one should have someone that
> does watch out for the over-all well-being of the organization
> with regards to its computing infrastructure.
>
> From all you have said about the reasons for seeking to secure
> info in this way, it does sound to me that you would be better
> off not having any domain structure (in which the net admin
> can roam about).
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:%23hfE616hFHA.720@TK2MSFTNGP14.phx.gbl...
>> Why do you think the data isn't supposed to be on my computer? Our Admin
>> just keeps the network working, they are not supposed to see all the
>> commercial data that other specialists possess.
>> "Lanwench [MVP - Exchange]"
>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> message
>> news:eXGo3VvhFHA.2152@TK2MSFTNGP14.phx.gbl...
>> >
>> >
>> > In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
>> > Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
>> >> Hello
>> >> How can I get access to my files and folders on my portable drive on
>> >> other computers? I do not want to give access to a Windows XP group
>> >> because I don't want
>> >> Administrators of our domain have direct access to my files on the
>> >> drive. They will not take ownership because I will see the taking. I
>> >> want to get access by a password.
>> >
>> > Roger's reply re NTFS is correct. However, if you're trying to bypass
> your
>> > network admins, and you are not officially one yourself, I can't help
> you.
>> > If the data isn't supposed to be on your computer/on the network, don't
> do
>> > it.
>> >
>>
>
>
Anonymous
a b 8 Security
July 14, 2005 3:47:53 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Our domain administrator will not take ownership because I will see it. If I
will see it he could lose his job.
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:o nvC7n7hFHA.2484@TK2MSFTNGP15.phx.gbl...
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:o C%23sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl...
>> Only General manager is supposed to see all the information. But he will
>> not administrate the network himself of course. General manager has even
>> a second computer separate from the Admins network to keep information
>> securely. Our Admin is two times younger than most of our specialists and
>> has only computer education and is not devoted to our business as the
>> General manager is. A company can never take just a computer specialist
>> into it's confidence, can never entrust all its commercial information to
>> him.
>
> As others have pointed out you need to rethink your business model when it
> comes to computers. With today's technology the network administrator will
> potentially have access to everything. You can use auditing to see what
> has been done but it's pretty hard to stop it from being done. The only
> way I know to get around this is to keep data that sensitive on a computer
> not connected to the LAN or use 3rd party encryption software.
>
> Kerry
>
>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.1d3eea582772e4b9899d7@news-server.columbus.rr.com...
>>> In article <#hfE616hFHA.720@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
>>> says...
>>>> Why do you think the data isn't supposed to be on my computer? Our
>>>> Admin
>>>> just keeps the network working, they are not supposed to see all the
>>>> commercial data that other specialists possess.
>>>
>>> You are wrong, the network admin can and will be able to see all data on
>>> the network, if you don't trust the network admin then you need to get a
>>> new one.
>>>
>>> It really seems like you're doing something you don't need to be doing
>>> and that you feel you have a reason to hide.
>>>
>>>
>>>
>>>> "Lanwench [MVP - Exchange]"
>>>> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
>>>> message
>>>> news:eXGo3VvhFHA.2152@TK2MSFTNGP14.phx.gbl...
>>>> >
>>>> >
>>>> > In news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl,
>>>> > Dmitry Kopnichev <kopn@hotbox.ruDELETE> typed:
>>>> >> Hello
>>>> >> How can I get access to my files and folders on my portable drive on
>>>> >> other computers? I do not want to give access to a Windows XP group
>>>> >> because I don't want
>>>> >> Administrators of our domain have direct access to my files on the
>>>> >> drive. They will not take ownership because I will see the taking. I
>>>> >> want to get access by a password.
>>>> >
>>>> > Roger's reply re NTFS is correct. However, if you're trying to bypass
>>>> > your
>>>> > network admins, and you are not officially one yourself, I can't help
>>>> > you.
>>>> > If the data isn't supposed to be on your computer/on the network,
>>>> > don't do
>>>> > it.
>>>> >
>>>>
>>>>
>>>
>>> --
>>> --
>>> spam999free@rrohio.com
>>> remove 999 in order to email me
>>
>
>
Anonymous
a b 8 Security
July 14, 2005 4:10:41 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Admins having full access to everything by default" is the cause of CDs
with sensitive information appearing on a black market. Some Admins steal
personal information about customers, especially, users of mobile networks,
owners of properties, money orders logs, bank transactions logs, etceteras,
before changing work. These information is invaluable for criminals,
thieves, robbers, killers for searching for their victim.
Admins do not lose much if a company loses its sensitive information. They
can always find another work, but owners lose money and top managers work
and their credit.
"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
> says...
>> Only General manager is supposed to see all the information. But he will
>> not
>> administrate the network himself of course. General manager has even a
>> second computer separate from the Admins network to keep information
>> securely. Our Admin is two times younger than most of our specialists and
>> has only computer education and is not devoted to our business as the
>> General manager is. A company can never take just a computer specialist
>> into
>> it's confidence, can never entrust all its commercial information to him.
>
> You are COMPLETELY WRONG. A good network admin will be vested in the
> company with all their heart and desire. They will always look to
> protect the network and it's data. They have full access to everything
> by default and can take ownership of anything they want. If you don't
> trust the Admin then you are in a bad spot, as the Admin can do many
> things without you even finding out about it.
>
> Now, to protect you against an rogue Admin, you need a second Admin that
> is used to check the other admin - in fact, both check each other for
> doing things that should not be done. Both Admins have full access to
> all resources, it's the nature of the networks.
>
> If you don't want an Admin to have access, then setup another network,
> managed by someone you trust at the moment, and don't give the Admin any
> access to it.
>
> In every company I've worked for or designed the network for, the Admin
> group (sometimes 1 person, but normally more than 1) has full access to
> all resources, even if they don't use them.
>
> If the Admin can't reach all resources, then they can't properly do
> their job - which is Network security, Resource Protection, support of
> users, disaster recovery planning and testing, and monitoring for
> unapproved activity (yea, there are more).
>
>
> --
> --
> spam999free@rrohio.com
> remove 999 in order to email me
Anonymous
a b 8 Security
July 14, 2005 4:10:42 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
> "Admins having full access to everything by default" is the cause of CDs
> with sensitive information appearing on a black market. Some Admins steal
> personal information about customers, especially, users of mobile
> networks, owners of properties, money orders logs, bank transactions logs,
> etceteras, before changing work. These information is invaluable for
> criminals, thieves, robbers, killers for searching for their victim.
> Admins do not lose much if a company loses its sensitive information. They
> can always find another work, but owners lose money and top managers work
> and their credit.

You have several options. Most of the computer related ones have already
been explained to you. If none of those work for you, you will have to do
some more research. Personally I believe you need to rethink you company's
hierarchy. If your data is that sensitive you need to do one of two things.
Hire someone you trust to manage your network. Train an existing empoyee you
trust to manage your network. If it is so lucrative to steal your data then
you can afford to pay someone enough that they won't steal your data. Most
organizations and governments have policies to deal with this issue. In the
end what it comes down to is trust. It sounds like you don't have any. You
could physically search your admin as he leaves the building.

Kerry


> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
>> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
>> says...
>>> Only General manager is supposed to see all the information. But he will
>>> not
>>> administrate the network himself of course. General manager has even a
>>> second computer separate from the Admins network to keep information
>>> securely. Our Admin is two times younger than most of our specialists
>>> and
>>> has only computer education and is not devoted to our business as the
>>> General manager is. A company can never take just a computer specialist
>>> into
>>> it's confidence, can never entrust all its commercial information to
>>> him.
>>
>> You are COMPLETELY WRONG. A good network admin will be vested in the
>> company with all their heart and desire. They will always look to
>> protect the network and it's data. They have full access to everything
>> by default and can take ownership of anything they want. If you don't
>> trust the Admin then you are in a bad spot, as the Admin can do many
>> things without you even finding out about it.
>>
>> Now, to protect you against an rogue Admin, you need a second Admin that
>> is used to check the other admin - in fact, both check each other for
>> doing things that should not be done. Both Admins have full access to
>> all resources, it's the nature of the networks.
>>
>> If you don't want an Admin to have access, then setup another network,
>> managed by someone you trust at the moment, and don't give the Admin any
>> access to it.
>>
>> In every company I've worked for or designed the network for, the Admin
>> group (sometimes 1 person, but normally more than 1) has full access to
>> all resources, even if they don't use them.
>>
>> If the Admin can't reach all resources, then they can't properly do
>> their job - which is Network security, Resource Protection, support of
>> users, disaster recovery planning and testing, and monitoring for
>> unapproved activity (yea, there are more).
>>
>>
>> --
>> --
>> spam999free@rrohio.com
>> remove 999 in order to email me
>
Anonymous
a b 8 Security
July 14, 2005 4:11:51 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

I would have to do disconnect too often.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:eRssWnEiFHA.1204@TK2MSFTNGP12.phx.gbl...
> Neither does use of Users
> Remember, the grant is only needed while defining a new
> specific user grant, and you certainly could have the network
> wire disconnected during that time.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:o NK%230ZEiFHA.1416@TK2MSFTNGP09.phx.gbl...
>> Yes, but this does not prevent domain administrators from seeing my
> folders
>> and files.
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:uZkJd0AiFHA.3064@TK2MSFTNGP15.phx.gbl...
>> > so you could use Administrators instead of Users
>> >
>> > --
>> > Roger
>> >
>> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> > news:uvSVy36hFHA.3912@tk2msftngp13.phx.gbl...
>> >> I can log in as an admin on each machine where use is needed.
>> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> >> news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
>> >> > Still struggling with this hey Dmitry ?
>> >> >
>> >> > Since you cannot install anything on the machines where this
>> >> > will be used, you really need to just use NTFS.
>> >> >
>> >> > To get it set up you will for a while have to have a grant to a
>> >> > built-in group, like Users, unless you can log in as an admin on
>> >> > each machine where use is needed.
>> >> > 1. set full control for Users on the external NTFS
>> >> > then on each system where it will be used
>> >> > 2. set full grant to the account used on that system
>> >> > when doing this
>> >> > 2a. the grants to accounts from other systems are known only
>> >> > on the other systems and so will show up as SID strings or
>> >> > as Unknown - leave them alone.
>> >> > 3. when you set the grant to the last account, on the last system
>> >> > where this will be used, remove the grant of Full to Users
>> >> > that was only needed in order to be able to make the grants
>> >> > to the specific users
>> >> > Whatever temporary group, like Users above, used to build
>> >> > up the desired permissions must be understood on each system
>> >> > so it must be a builtin group that will include the account you
>> >> > log in with on each system.
>> >> >
>> >> > --
>> >> > Roger Abell
>> >> > Microsoft MVP (Windows Security)
>> >> >
>> >> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> >> > news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
>> >> >> Hello
>> >> >> How can I get access to my files and folders on my portable drive
>> >> >> on
>> >> >> other
>> >> >> computers? I do not want to give access to a Windows XP group
> because
>> >> >> I
>> >> >> don't want
>> >> >> Administrators of our domain have direct access to my files on the
>> > drive.
>> >> >> They will not take ownership because I will see the taking. I want
> to
>> > get
>> >> >> access by a password.
>> >> >>
>> >> >
>> >> >
>> >>
>> >
>> >
>>
>
>
Anonymous
a b 8 Security
July 14, 2005 4:11:52 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

You must have a lot of different machines not in domain(s)
where use of this external storage would be needer.

--
Roger Abell
Microsoft MVP (Windows Security)

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:o wazgvEiFHA.1464@TK2MSFTNGP14.phx.gbl...
> I would have to do disconnect too often.
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:eRssWnEiFHA.1204@TK2MSFTNGP12.phx.gbl...
> > Neither does use of Users
> > Remember, the grant is only needed while defining a new
> > specific user grant, and you certainly could have the network
> > wire disconnected during that time.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> > news:o NK%230ZEiFHA.1416@TK2MSFTNGP09.phx.gbl...
> >> Yes, but this does not prevent domain administrators from seeing my
> > folders
> >> and files.
> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> news:uZkJd0AiFHA.3064@TK2MSFTNGP15.phx.gbl...
> >> > so you could use Administrators instead of Users
> >> >
> >> > --
> >> > Roger
> >> >
> >> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> >> > news:uvSVy36hFHA.3912@tk2msftngp13.phx.gbl...
> >> >> I can log in as an admin on each machine where use is needed.
> >> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> >> >> news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
> >> >> > Still struggling with this hey Dmitry ?
> >> >> >
> >> >> > Since you cannot install anything on the machines where this
> >> >> > will be used, you really need to just use NTFS.
> >> >> >
> >> >> > To get it set up you will for a while have to have a grant to a
> >> >> > built-in group, like Users, unless you can log in as an admin on
> >> >> > each machine where use is needed.
> >> >> > 1. set full control for Users on the external NTFS
> >> >> > then on each system where it will be used
> >> >> > 2. set full grant to the account used on that system
> >> >> > when doing this
> >> >> > 2a. the grants to accounts from other systems are known only
> >> >> > on the other systems and so will show up as SID strings or
> >> >> > as Unknown - leave them alone.
> >> >> > 3. when you set the grant to the last account, on the last system
> >> >> > where this will be used, remove the grant of Full to Users
> >> >> > that was only needed in order to be able to make the grants
> >> >> > to the specific users
> >> >> > Whatever temporary group, like Users above, used to build
> >> >> > up the desired permissions must be understood on each system
> >> >> > so it must be a builtin group that will include the account you
> >> >> > log in with on each system.
> >> >> >
> >> >> > --
> >> >> > Roger Abell
> >> >> > Microsoft MVP (Windows Security)
> >> >> >
> >> >> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> >> >> > news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
> >> >> >> Hello
> >> >> >> How can I get access to my files and folders on my portable drive
> >> >> >> on
> >> >> >> other
> >> >> >> computers? I do not want to give access to a Windows XP group
> > because
> >> >> >> I
> >> >> >> don't want
> >> >> >> Administrators of our domain have direct access to my files on
the
> >> > drive.
> >> >> >> They will not take ownership because I will see the taking. I
want
> > to
> >> > get
> >> >> >> access by a password.
> >> >> >>
> >> >> >
> >> >> >
> >> >>
> >> >
> >> >
> >>
> >
> >
>
Anonymous
a b 8 Security
July 14, 2005 9:34:52 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Yes.
This drive contains 25 GB of information. I almost never save files to local
HDDs, but to the portable drive.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%236eOacHiFHA.3700@TK2MSFTNGP10.phx.gbl...
> You must have a lot of different machines not in domain(s)
> where use of this external storage would be needer.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:o wazgvEiFHA.1464@TK2MSFTNGP14.phx.gbl...
>> I would have to do disconnect too often.
>> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> news:eRssWnEiFHA.1204@TK2MSFTNGP12.phx.gbl...
>> > Neither does use of Users
>> > Remember, the grant is only needed while defining a new
>> > specific user grant, and you certainly could have the network
>> > wire disconnected during that time.
>> >
>> > --
>> > Roger Abell
>> > Microsoft MVP (Windows Security)
>> > MCSE (W2k3,W2k,Nt4) MCDBA
>> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> > news:o NK%230ZEiFHA.1416@TK2MSFTNGP09.phx.gbl...
>> >> Yes, but this does not prevent domain administrators from seeing my
>> > folders
>> >> and files.
>> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> >> news:uZkJd0AiFHA.3064@TK2MSFTNGP15.phx.gbl...
>> >> > so you could use Administrators instead of Users
>> >> >
>> >> > --
>> >> > Roger
>> >> >
>> >> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> >> > news:uvSVy36hFHA.3912@tk2msftngp13.phx.gbl...
>> >> >> I can log in as an admin on each machine where use is needed.
>> >> >> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
>> >> >> news:uVgvszuhFHA.1948@TK2MSFTNGP12.phx.gbl...
>> >> >> > Still struggling with this hey Dmitry ?
>> >> >> >
>> >> >> > Since you cannot install anything on the machines where this
>> >> >> > will be used, you really need to just use NTFS.
>> >> >> >
>> >> >> > To get it set up you will for a while have to have a grant to a
>> >> >> > built-in group, like Users, unless you can log in as an admin on
>> >> >> > each machine where use is needed.
>> >> >> > 1. set full control for Users on the external NTFS
>> >> >> > then on each system where it will be used
>> >> >> > 2. set full grant to the account used on that system
>> >> >> > when doing this
>> >> >> > 2a. the grants to accounts from other systems are known only
>> >> >> > on the other systems and so will show up as SID strings or
>> >> >> > as Unknown - leave them alone.
>> >> >> > 3. when you set the grant to the last account, on the last system
>> >> >> > where this will be used, remove the grant of Full to Users
>> >> >> > that was only needed in order to be able to make the grants
>> >> >> > to the specific users
>> >> >> > Whatever temporary group, like Users above, used to build
>> >> >> > up the desired permissions must be understood on each system
>> >> >> > so it must be a builtin group that will include the account you
>> >> >> > log in with on each system.
>> >> >> >
>> >> >> > --
>> >> >> > Roger Abell
>> >> >> > Microsoft MVP (Windows Security)
>> >> >> >
>> >> >> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> >> >> > news:u1uy8XrhFHA.3316@TK2MSFTNGP14.phx.gbl...
>> >> >> >> Hello
>> >> >> >> How can I get access to my files and folders on my portable
>> >> >> >> drive
>> >> >> >> on
>> >> >> >> other
>> >> >> >> computers? I do not want to give access to a Windows XP group
>> > because
>> >> >> >> I
>> >> >> >> don't want
>> >> >> >> Administrators of our domain have direct access to my files on
> the
>> >> > drive.
>> >> >> >> They will not take ownership because I will see the taking. I
> want
>> > to
>> >> > get
>> >> >> >> access by a password.
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >>
>> >> >
>> >> >
>> >>
>> >
>> >
>>
>
>
Anonymous
a b 8 Security
July 14, 2005 9:50:17 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:%23VsCEjIiFHA.3544@TK2MSFTNGP15.phx.gbl...
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
> > "Admins having full access to everything by default" is the cause of CDs
> > with sensitive information appearing on a black market. Some Admins
steal
> > personal information about customers, especially, users of mobile
> > networks, owners of properties, money orders logs, bank transactions
logs,
> > etceteras, before changing work. These information is invaluable for
> > criminals, thieves, robbers, killers for searching for their victim.
> > Admins do not lose much if a company loses its sensitive information.
They
> > can always find another work, but owners lose money and top managers
work
> > and their credit.
>
> You have several options. Most of the computer related ones have already
> been explained to you. If none of those work for you, you will have to do
> some more research. Personally I believe you need to rethink you company's
> hierarchy. If your data is that sensitive you need to do one of two
things.
> Hire someone you trust to manage your network. Train an existing empoyee
you
> trust to manage your network. If it is so lucrative to steal your data
then
> you can afford to pay someone enough that they won't steal your data. Most
> organizations and governments have policies to deal with this issue. In
the
> end what it comes down to is trust. It sounds like you don't have any. You
> could physically search your admin as he leaves the building.
>


Funning you say that. Last night I was considering how much
one would have to pay a net admin to sit all day naked in a
glass cage while working and to be searched on the way to
the locker at the end of the day.

--
Roger
>
> > "Leythos" <void@nowhere.lan> wrote in message
> > news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
> >> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>,
kopn@hotbox.ruDELETE
> >> says...
> >>> Only General manager is supposed to see all the information. But he
will
> >>> not
> >>> administrate the network himself of course. General manager has even a
> >>> second computer separate from the Admins network to keep information
> >>> securely. Our Admin is two times younger than most of our specialists
> >>> and
> >>> has only computer education and is not devoted to our business as the
> >>> General manager is. A company can never take just a computer
specialist
> >>> into
> >>> it's confidence, can never entrust all its commercial information to
> >>> him.
> >>
> >> You are COMPLETELY WRONG. A good network admin will be vested in the
> >> company with all their heart and desire. They will always look to
> >> protect the network and it's data. They have full access to everything
> >> by default and can take ownership of anything they want. If you don't
> >> trust the Admin then you are in a bad spot, as the Admin can do many
> >> things without you even finding out about it.
> >>
> >> Now, to protect you against an rogue Admin, you need a second Admin
that
> >> is used to check the other admin - in fact, both check each other for
> >> doing things that should not be done. Both Admins have full access to
> >> all resources, it's the nature of the networks.
> >>
> >> If you don't want an Admin to have access, then setup another network,
> >> managed by someone you trust at the moment, and don't give the Admin
any
> >> access to it.
> >>
> >> In every company I've worked for or designed the network for, the Admin
> >> group (sometimes 1 person, but normally more than 1) has full access to
> >> all resources, even if they don't use them.
> >>
> >> If the Admin can't reach all resources, then they can't properly do
> >> their job - which is Network security, Resource Protection, support of
> >> users, disaster recovery planning and testing, and monitoring for
> >> unapproved activity (yea, there are more).
> >>
> >>
> >> --
> >> --
> >> spam999free@rrohio.com
> >> remove 999 in order to email me
> >
>
>
Anonymous
a b 8 Security
July 15, 2005 2:46:41 AM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23kUnXcNiFHA.392@TK2MSFTNGP10.phx.gbl...

<snip>

>> end what it comes down to is trust. It sounds like you don't have any.
>> You
>> could physically search your admin as he leaves the building.
>>
>
>
> Funning you say that. Last night I was considering how much
> one would have to pay a net admin to sit all day naked in a
> glass cage while working and to be searched on the way to
> the locker at the end of the day.
>

I was thinking of diamond mines while writing the post :-)

Kerry
Anonymous
a b 8 Security
July 15, 2005 3:27:32 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Not giving access to sensitive data to the domain administrator is more
effective.
"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:%23VsCEjIiFHA.3544@TK2MSFTNGP15.phx.gbl...
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
>> "Admins having full access to everything by default" is the cause of CDs
>> with sensitive information appearing on a black market. Some Admins steal
>> personal information about customers, especially, users of mobile
>> networks, owners of properties, money orders logs, bank transactions
>> logs, etceteras, before changing work. These information is invaluable
>> for criminals, thieves, robbers, killers for searching for their victim.
>> Admins do not lose much if a company loses its sensitive information.
>> They can always find another work, but owners lose money and top managers
>> work and their credit.
>
> You have several options. Most of the computer related ones have already
> been explained to you. If none of those work for you, you will have to do
> some more research. Personally I believe you need to rethink you company's
> hierarchy. If your data is that sensitive you need to do one of two
> things. Hire someone you trust to manage your network. Train an existing
> empoyee you trust to manage your network. If it is so lucrative to steal
> your data then you can afford to pay someone enough that they won't steal
> your data. Most organizations and governments have policies to deal with
> this issue. In the end what it comes down to is trust. It sounds like you
> don't have any. You could physically search your admin as he leaves the
> building.
>
> Kerry
>
>
>> "Leythos" <void@nowhere.lan> wrote in message
>> news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
>>> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
>>> says...
>>>> Only General manager is supposed to see all the information. But he
>>>> will not
>>>> administrate the network himself of course. General manager has even a
>>>> second computer separate from the Admins network to keep information
>>>> securely. Our Admin is two times younger than most of our specialists
>>>> and
>>>> has only computer education and is not devoted to our business as the
>>>> General manager is. A company can never take just a computer specialist
>>>> into
>>>> it's confidence, can never entrust all its commercial information to
>>>> him.
>>>
>>> You are COMPLETELY WRONG. A good network admin will be vested in the
>>> company with all their heart and desire. They will always look to
>>> protect the network and it's data. They have full access to everything
>>> by default and can take ownership of anything they want. If you don't
>>> trust the Admin then you are in a bad spot, as the Admin can do many
>>> things without you even finding out about it.
>>>
>>> Now, to protect you against an rogue Admin, you need a second Admin that
>>> is used to check the other admin - in fact, both check each other for
>>> doing things that should not be done. Both Admins have full access to
>>> all resources, it's the nature of the networks.
>>>
>>> If you don't want an Admin to have access, then setup another network,
>>> managed by someone you trust at the moment, and don't give the Admin any
>>> access to it.
>>>
>>> In every company I've worked for or designed the network for, the Admin
>>> group (sometimes 1 person, but normally more than 1) has full access to
>>> all resources, even if they don't use them.
>>>
>>> If the Admin can't reach all resources, then they can't properly do
>>> their job - which is Network security, Resource Protection, support of
>>> users, disaster recovery planning and testing, and monitoring for
>>> unapproved activity (yea, there are more).
>>>
>>>
>>> --
>>> --
>>> spam999free@rrohio.com
>>> remove 999 in order to email me
>>
>
>
Anonymous
a b 8 Security
July 15, 2005 3:27:33 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:o PYPs6QiFHA.2444@tk2msftngp13.phx.gbl...
> Not giving access to sensitive data to the domain administrator is more
> effective.

While that may be so, the best, in fact only, way to do that
is to have no domain.

--
Roger Abell
Microsoft MVP (Windows Security)


> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:%23VsCEjIiFHA.3544@TK2MSFTNGP15.phx.gbl...
> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> > news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
> >> "Admins having full access to everything by default" is the cause of
CDs
> >> with sensitive information appearing on a black market. Some Admins
steal
> >> personal information about customers, especially, users of mobile
> >> networks, owners of properties, money orders logs, bank transactions
> >> logs, etceteras, before changing work. These information is invaluable
> >> for criminals, thieves, robbers, killers for searching for their
victim.
> >> Admins do not lose much if a company loses its sensitive information.
> >> They can always find another work, but owners lose money and top
managers
> >> work and their credit.
> >
> > You have several options. Most of the computer related ones have already
> > been explained to you. If none of those work for you, you will have to
do
> > some more research. Personally I believe you need to rethink you
company's
> > hierarchy. If your data is that sensitive you need to do one of two
> > things. Hire someone you trust to manage your network. Train an existing
> > empoyee you trust to manage your network. If it is so lucrative to steal
> > your data then you can afford to pay someone enough that they won't
steal
> > your data. Most organizations and governments have policies to deal with
> > this issue. In the end what it comes down to is trust. It sounds like
you
> > don't have any. You could physically search your admin as he leaves the
> > building.
> >
> > Kerry
> >
> >
> >> "Leythos" <void@nowhere.lan> wrote in message
> >> news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
> >>> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>,
kopn@hotbox.ruDELETE
> >>> says...
> >>>> Only General manager is supposed to see all the information. But he
> >>>> will not
> >>>> administrate the network himself of course. General manager has even
a
> >>>> second computer separate from the Admins network to keep information
> >>>> securely. Our Admin is two times younger than most of our specialists
> >>>> and
> >>>> has only computer education and is not devoted to our business as the
> >>>> General manager is. A company can never take just a computer
specialist
> >>>> into
> >>>> it's confidence, can never entrust all its commercial information to
> >>>> him.
> >>>
> >>> You are COMPLETELY WRONG. A good network admin will be vested in the
> >>> company with all their heart and desire. They will always look to
> >>> protect the network and it's data. They have full access to everything
> >>> by default and can take ownership of anything they want. If you don't
> >>> trust the Admin then you are in a bad spot, as the Admin can do many
> >>> things without you even finding out about it.
> >>>
> >>> Now, to protect you against an rogue Admin, you need a second Admin
that
> >>> is used to check the other admin - in fact, both check each other for
> >>> doing things that should not be done. Both Admins have full access to
> >>> all resources, it's the nature of the networks.
> >>>
> >>> If you don't want an Admin to have access, then setup another network,
> >>> managed by someone you trust at the moment, and don't give the Admin
any
> >>> access to it.
> >>>
> >>> In every company I've worked for or designed the network for, the
Admin
> >>> group (sometimes 1 person, but normally more than 1) has full access
to
> >>> all resources, even if they don't use them.
> >>>
> >>> If the Admin can't reach all resources, then they can't properly do
> >>> their job - which is Network security, Resource Protection, support of
> >>> users, disaster recovery planning and testing, and monitoring for
> >>> unapproved activity (yea, there are more).
> >>>
> >>>
> >>> --
> >>> --
> >>> spam999free@rrohio.com
> >>> remove 999 in order to email me
> >>
> >
> >
>
Anonymous
a b 8 Security
July 15, 2005 3:29:05 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Yes. It is more effective just not give access to the data.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:%23kUnXcNiFHA.392@TK2MSFTNGP10.phx.gbl...
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:%23VsCEjIiFHA.3544@TK2MSFTNGP15.phx.gbl...
>> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
>> > "Admins having full access to everything by default" is the cause of
>> > CDs
>> > with sensitive information appearing on a black market. Some Admins
> steal
>> > personal information about customers, especially, users of mobile
>> > networks, owners of properties, money orders logs, bank transactions
> logs,
>> > etceteras, before changing work. These information is invaluable for
>> > criminals, thieves, robbers, killers for searching for their victim.
>> > Admins do not lose much if a company loses its sensitive information.
> They
>> > can always find another work, but owners lose money and top managers
> work
>> > and their credit.
>>
>> You have several options. Most of the computer related ones have already
>> been explained to you. If none of those work for you, you will have to do
>> some more research. Personally I believe you need to rethink you
>> company's
>> hierarchy. If your data is that sensitive you need to do one of two
> things.
>> Hire someone you trust to manage your network. Train an existing empoyee
> you
>> trust to manage your network. If it is so lucrative to steal your data
> then
>> you can afford to pay someone enough that they won't steal your data.
>> Most
>> organizations and governments have policies to deal with this issue. In
> the
>> end what it comes down to is trust. It sounds like you don't have any.
>> You
>> could physically search your admin as he leaves the building.
>>
>
>
> Funning you say that. Last night I was considering how much
> one would have to pay a net admin to sit all day naked in a
> glass cage while working and to be searched on the way to
> the locker at the end of the day.
>
> --
> Roger
>>
>> > "Leythos" <void@nowhere.lan> wrote in message
>> > news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
>> >> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>,
> kopn@hotbox.ruDELETE
>> >> says...
>> >>> Only General manager is supposed to see all the information. But he
> will
>> >>> not
>> >>> administrate the network himself of course. General manager has even
>> >>> a
>> >>> second computer separate from the Admins network to keep information
>> >>> securely. Our Admin is two times younger than most of our specialists
>> >>> and
>> >>> has only computer education and is not devoted to our business as the
>> >>> General manager is. A company can never take just a computer
> specialist
>> >>> into
>> >>> it's confidence, can never entrust all its commercial information to
>> >>> him.
>> >>
>> >> You are COMPLETELY WRONG. A good network admin will be vested in the
>> >> company with all their heart and desire. They will always look to
>> >> protect the network and it's data. They have full access to everything
>> >> by default and can take ownership of anything they want. If you don't
>> >> trust the Admin then you are in a bad spot, as the Admin can do many
>> >> things without you even finding out about it.
>> >>
>> >> Now, to protect you against an rogue Admin, you need a second Admin
> that
>> >> is used to check the other admin - in fact, both check each other for
>> >> doing things that should not be done. Both Admins have full access to
>> >> all resources, it's the nature of the networks.
>> >>
>> >> If you don't want an Admin to have access, then setup another network,
>> >> managed by someone you trust at the moment, and don't give the Admin
> any
>> >> access to it.
>> >>
>> >> In every company I've worked for or designed the network for, the
>> >> Admin
>> >> group (sometimes 1 person, but normally more than 1) has full access
>> >> to
>> >> all resources, even if they don't use them.
>> >>
>> >> If the Admin can't reach all resources, then they can't properly do
>> >> their job - which is Network security, Resource Protection, support of
>> >> users, disaster recovery planning and testing, and monitoring for
>> >> unapproved activity (yea, there are more).
>> >>
>> >>
>> >> --
>> >> --
>> >> spam999free@rrohio.com
>> >> remove 999 in order to email me
>> >
>>
>>
>
>
Anonymous
a b 8 Security
July 15, 2005 3:29:06 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

"Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
news:%23Z86i7QiFHA.2180@TK2MSFTNGP15.phx.gbl...
> Yes. It is more effective just not give access to the data.

While it may be more effective it is not possible with your current network.
Change your network, or change your management style. These are your
alternatives. I'm tired of going around in circles. You have been given good
advice by many people. If you don't trust anyone then you'll have to do it
yourself. As others pointed out it sounds like you don't have the knowledge
required to do this. This means you will have to learn it. It can't be
taught via a newsgroup. I suggest you look into some courses on networking
and computer security.

Kerry

> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%23kUnXcNiFHA.392@TK2MSFTNGP10.phx.gbl...
>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
>> news:%23VsCEjIiFHA.3544@TK2MSFTNGP15.phx.gbl...
>>> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>>> news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
>>> > "Admins having full access to everything by default" is the cause of
>>> > CDs
>>> > with sensitive information appearing on a black market. Some Admins
>> steal
>>> > personal information about customers, especially, users of mobile
>>> > networks, owners of properties, money orders logs, bank transactions
>> logs,
>>> > etceteras, before changing work. These information is invaluable for
>>> > criminals, thieves, robbers, killers for searching for their victim.
>>> > Admins do not lose much if a company loses its sensitive information.
>> They
>>> > can always find another work, but owners lose money and top managers
>> work
>>> > and their credit.
>>>
>>> You have several options. Most of the computer related ones have already
>>> been explained to you. If none of those work for you, you will have to
>>> do
>>> some more research. Personally I believe you need to rethink you
>>> company's
>>> hierarchy. If your data is that sensitive you need to do one of two
>> things.
>>> Hire someone you trust to manage your network. Train an existing empoyee
>> you
>>> trust to manage your network. If it is so lucrative to steal your data
>> then
>>> you can afford to pay someone enough that they won't steal your data.
>>> Most
>>> organizations and governments have policies to deal with this issue. In
>> the
>>> end what it comes down to is trust. It sounds like you don't have any.
>>> You
>>> could physically search your admin as he leaves the building.
>>>
>>
>>
>> Funning you say that. Last night I was considering how much
>> one would have to pay a net admin to sit all day naked in a
>> glass cage while working and to be searched on the way to
>> the locker at the end of the day.
>>
>> --
>> Roger
>>>
>>> > "Leythos" <void@nowhere.lan> wrote in message
>>> > news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
>>> >> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>,
>> kopn@hotbox.ruDELETE
>>> >> says...
>>> >>> Only General manager is supposed to see all the information. But he
>> will
>>> >>> not
>>> >>> administrate the network himself of course. General manager has even
>>> >>> a
>>> >>> second computer separate from the Admins network to keep information
>>> >>> securely. Our Admin is two times younger than most of our
>>> >>> specialists
>>> >>> and
>>> >>> has only computer education and is not devoted to our business as
>>> >>> the
>>> >>> General manager is. A company can never take just a computer
>> specialist
>>> >>> into
>>> >>> it's confidence, can never entrust all its commercial information to
>>> >>> him.
>>> >>
>>> >> You are COMPLETELY WRONG. A good network admin will be vested in the
>>> >> company with all their heart and desire. They will always look to
>>> >> protect the network and it's data. They have full access to
>>> >> everything
>>> >> by default and can take ownership of anything they want. If you don't
>>> >> trust the Admin then you are in a bad spot, as the Admin can do many
>>> >> things without you even finding out about it.
>>> >>
>>> >> Now, to protect you against an rogue Admin, you need a second Admin
>> that
>>> >> is used to check the other admin - in fact, both check each other for
>>> >> doing things that should not be done. Both Admins have full access to
>>> >> all resources, it's the nature of the networks.
>>> >>
>>> >> If you don't want an Admin to have access, then setup another
>>> >> network,
>>> >> managed by someone you trust at the moment, and don't give the Admin
>> any
>>> >> access to it.
>>> >>
>>> >> In every company I've worked for or designed the network for, the
>>> >> Admin
>>> >> group (sometimes 1 person, but normally more than 1) has full access
>>> >> to
>>> >> all resources, even if they don't use them.
>>> >>
>>> >> If the Admin can't reach all resources, then they can't properly do
>>> >> their job - which is Network security, Resource Protection, support
>>> >> of
>>> >> users, disaster recovery planning and testing, and monitoring for
>>> >> unapproved activity (yea, there are more).
>>> >>
>>> >>
>>> >> --
>>> >> --
>>> >> spam999free@rrohio.com
>>> >> remove 999 in order to email me
>>> >
>>>
>>>
>>
>>
>
Anonymous
a b 8 Security
July 15, 2005 3:52:58 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

In article <OPYPs6QiFHA.2444@tk2msftngp13.phx.gbl>, kopn@hotbox.ruDELETE
says...
> Not giving access to sensitive data to the domain administrator is more
> effective.

No, it's not more effective, it's a lost cause as you do not understand
how Network Administration is handled. If you need a secure area, one
that the normal network administrator can not access, then you create a
separate network or you setup a firewall area where the protected
network can reach the unprotected network, but the unprotected network
can't reach the protected network, and you don't have systems in the
protected network as part of the domain.

If you better understood the ideals of a Network and the ideals of a
network administrator you would have a much easier management time.



> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:%23VsCEjIiFHA.3544@TK2MSFTNGP15.phx.gbl...
> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> > news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
> >> "Admins having full access to everything by default" is the cause of CDs
> >> with sensitive information appearing on a black market. Some Admins steal
> >> personal information about customers, especially, users of mobile
> >> networks, owners of properties, money orders logs, bank transactions
> >> logs, etceteras, before changing work. These information is invaluable
> >> for criminals, thieves, robbers, killers for searching for their victim.
> >> Admins do not lose much if a company loses its sensitive information.
> >> They can always find another work, but owners lose money and top managers
> >> work and their credit.
> >
> > You have several options. Most of the computer related ones have already
> > been explained to you. If none of those work for you, you will have to do
> > some more research. Personally I believe you need to rethink you company's
> > hierarchy. If your data is that sensitive you need to do one of two
> > things. Hire someone you trust to manage your network. Train an existing
> > empoyee you trust to manage your network. If it is so lucrative to steal
> > your data then you can afford to pay someone enough that they won't steal
> > your data. Most organizations and governments have policies to deal with
> > this issue. In the end what it comes down to is trust. It sounds like you
> > don't have any. You could physically search your admin as he leaves the
> > building.
> >
> > Kerry
> >
> >
> >> "Leythos" <void@nowhere.lan> wrote in message
> >> news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
> >>> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>, kopn@hotbox.ruDELETE
> >>> says...
> >>>> Only General manager is supposed to see all the information. But he
> >>>> will not
> >>>> administrate the network himself of course. General manager has even a
> >>>> second computer separate from the Admins network to keep information
> >>>> securely. Our Admin is two times younger than most of our specialists
> >>>> and
> >>>> has only computer education and is not devoted to our business as the
> >>>> General manager is. A company can never take just a computer specialist
> >>>> into
> >>>> it's confidence, can never entrust all its commercial information to
> >>>> him.
> >>>
> >>> You are COMPLETELY WRONG. A good network admin will be vested in the
> >>> company with all their heart and desire. They will always look to
> >>> protect the network and it's data. They have full access to everything
> >>> by default and can take ownership of anything they want. If you don't
> >>> trust the Admin then you are in a bad spot, as the Admin can do many
> >>> things without you even finding out about it.
> >>>
> >>> Now, to protect you against an rogue Admin, you need a second Admin that
> >>> is used to check the other admin - in fact, both check each other for
> >>> doing things that should not be done. Both Admins have full access to
> >>> all resources, it's the nature of the networks.
> >>>
> >>> If you don't want an Admin to have access, then setup another network,
> >>> managed by someone you trust at the moment, and don't give the Admin any
> >>> access to it.
> >>>
> >>> In every company I've worked for or designed the network for, the Admin
> >>> group (sometimes 1 person, but normally more than 1) has full access to
> >>> all resources, even if they don't use them.
> >>>
> >>> If the Admin can't reach all resources, then they can't properly do
> >>> their job - which is Network security, Resource Protection, support of
> >>> users, disaster recovery planning and testing, and monitoring for
> >>> unapproved activity (yea, there are more).
> >>>
> >>>
> >>> --
> >>> --
> >>> spam999free@rrohio.com
> >>> remove 999 in order to email me
> >>
> >
> >
>
>

--
--
spam999free@rrohio.com
remove 999 in order to email me
Anonymous
a b 8 Security
July 15, 2005 4:50:54 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

Our domain is needed for our women usually and Windows XP illiterate workers
who can not administer their Windows XP themselves.
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:o oyufVRiFHA.1968@TK2MSFTNGP14.phx.gbl...
> "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> news:o PYPs6QiFHA.2444@tk2msftngp13.phx.gbl...
>> Not giving access to sensitive data to the domain administrator is more
>> effective.
>
> While that may be so, the best, in fact only, way to do that
> is to have no domain.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
>
>
>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
>> news:%23VsCEjIiFHA.3544@TK2MSFTNGP15.phx.gbl...
>> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
>> > news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
>> >> "Admins having full access to everything by default" is the cause of
> CDs
>> >> with sensitive information appearing on a black market. Some Admins
> steal
>> >> personal information about customers, especially, users of mobile
>> >> networks, owners of properties, money orders logs, bank transactions
>> >> logs, etceteras, before changing work. These information is invaluable
>> >> for criminals, thieves, robbers, killers for searching for their
> victim.
>> >> Admins do not lose much if a company loses its sensitive information.
>> >> They can always find another work, but owners lose money and top
> managers
>> >> work and their credit.
>> >
>> > You have several options. Most of the computer related ones have
>> > already
>> > been explained to you. If none of those work for you, you will have to
> do
>> > some more research. Personally I believe you need to rethink you
> company's
>> > hierarchy. If your data is that sensitive you need to do one of two
>> > things. Hire someone you trust to manage your network. Train an
>> > existing
>> > empoyee you trust to manage your network. If it is so lucrative to
>> > steal
>> > your data then you can afford to pay someone enough that they won't
> steal
>> > your data. Most organizations and governments have policies to deal
>> > with
>> > this issue. In the end what it comes down to is trust. It sounds like
> you
>> > don't have any. You could physically search your admin as he leaves the
>> > building.
>> >
>> > Kerry
>> >
>> >
>> >> "Leythos" <void@nowhere.lan> wrote in message
>> >> news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
>> >>> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>,
> kopn@hotbox.ruDELETE
>> >>> says...
>> >>>> Only General manager is supposed to see all the information. But he
>> >>>> will not
>> >>>> administrate the network himself of course. General manager has even
> a
>> >>>> second computer separate from the Admins network to keep information
>> >>>> securely. Our Admin is two times younger than most of our
>> >>>> specialists
>> >>>> and
>> >>>> has only computer education and is not devoted to our business as
>> >>>> the
>> >>>> General manager is. A company can never take just a computer
> specialist
>> >>>> into
>> >>>> it's confidence, can never entrust all its commercial information to
>> >>>> him.
>> >>>
>> >>> You are COMPLETELY WRONG. A good network admin will be vested in the
>> >>> company with all their heart and desire. They will always look to
>> >>> protect the network and it's data. They have full access to
>> >>> everything
>> >>> by default and can take ownership of anything they want. If you don't
>> >>> trust the Admin then you are in a bad spot, as the Admin can do many
>> >>> things without you even finding out about it.
>> >>>
>> >>> Now, to protect you against an rogue Admin, you need a second Admin
> that
>> >>> is used to check the other admin - in fact, both check each other for
>> >>> doing things that should not be done. Both Admins have full access to
>> >>> all resources, it's the nature of the networks.
>> >>>
>> >>> If you don't want an Admin to have access, then setup another
>> >>> network,
>> >>> managed by someone you trust at the moment, and don't give the Admin
> any
>> >>> access to it.
>> >>>
>> >>> In every company I've worked for or designed the network for, the
> Admin
>> >>> group (sometimes 1 person, but normally more than 1) has full access
> to
>> >>> all resources, even if they don't use them.
>> >>>
>> >>> If the Admin can't reach all resources, then they can't properly do
>> >>> their job - which is Network security, Resource Protection, support
>> >>> of
>> >>> users, disaster recovery planning and testing, and monitoring for
>> >>> unapproved activity (yea, there are more).
>> >>>
>> >>>
>> >>> --
>> >>> --
>> >>> spam999free@rrohio.com
>> >>> remove 999 in order to email me
>> >>
>> >
>> >
>>
>
>
Anonymous
a b 8 Security
July 15, 2005 4:50:55 PM

Archived from groups: microsoft.public.security,microsoft.public.security.homeusers,microsoft.public.windowsxp.security_admin (More info?)

In article <#pA$QpRiFHA.1148@TK2MSFTNGP12.phx.gbl>, kopn@hotbox.ruDELETE
says...
> Our domain is needed for our women usually and Windows XP illiterate workers
> who can not administer their Windows XP themselves.

Administration of Windows XP has nothing to do with a Domain - you can
manage Windows XP without a Domain - any good Network Administrator
would already know that and how to do it.

All computers should be locked down for all users, exceptions can be
made for specific special cases.

It's starting to appear that you are making decisions and managing
without understanding the basic network administration concepts and that
will be the ruin of your network scheme.



> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:o oyufVRiFHA.1968@TK2MSFTNGP14.phx.gbl...
> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> > news:o PYPs6QiFHA.2444@tk2msftngp13.phx.gbl...
> >> Not giving access to sensitive data to the domain administrator is more
> >> effective.
> >
> > While that may be so, the best, in fact only, way to do that
> > is to have no domain.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> >
> >
> >> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> >> news:%23VsCEjIiFHA.3544@TK2MSFTNGP15.phx.gbl...
> >> > "Dmitry Kopnichev" <kopn@hotbox.ruDELETE> wrote in message
> >> > news:o N8mxuEiFHA.320@TK2MSFTNGP09.phx.gbl...
> >> >> "Admins having full access to everything by default" is the cause of
> > CDs
> >> >> with sensitive information appearing on a black market. Some Admins
> > steal
> >> >> personal information about customers, especially, users of mobile
> >> >> networks, owners of properties, money orders logs, bank transactions
> >> >> logs, etceteras, before changing work. These information is invaluable
> >> >> for criminals, thieves, robbers, killers for searching for their
> > victim.
> >> >> Admins do not lose much if a company loses its sensitive information.
> >> >> They can always find another work, but owners lose money and top
> > managers
> >> >> work and their credit.
> >> >
> >> > You have several options. Most of the computer related ones have
> >> > already
> >> > been explained to you. If none of those work for you, you will have to
> > do
> >> > some more research. Personally I believe you need to rethink you
> > company's
> >> > hierarchy. If your data is that sensitive you need to do one of two
> >> > things. Hire someone you trust to manage your network. Train an
> >> > existing
> >> > empoyee you trust to manage your network. If it is so lucrative to
> >> > steal
> >> > your data then you can afford to pay someone enough that they won't
> > steal
> >> > your data. Most organizations and governments have policies to deal
> >> > with
> >> > this issue. In the end what it comes down to is trust. It sounds like
> > you
> >> > don't have any. You could physically search your admin as he leaves the
> >> > building.
> >> >
> >> > Kerry
> >> >
> >> >
> >> >> "Leythos" <void@nowhere.lan> wrote in message
> >> >> news:MPG.1d3f031b7b4482ce9899da@news-server.columbus.rr.com...
> >> >>> In article <OC#sKZ7hFHA.2916@TK2MSFTNGP14.phx.gbl>,
> > kopn@hotbox.ruDELETE
> >> >>> says...
> >> >>>> Only General manager is supposed to see all the information. But he
> >> >>>> will not
> >> >>>> administrate the network himself of course. General manager has even
> > a
> >> >>>> second computer separate from the Admins network to keep information
> >> >>>> securely. Our Admin is two times younger than most of our
> >> >>>> specialists
> >> >>>> and
> >> >>>> has only computer education and is not devoted to our business as
> >> >>>> the
> >> >>>> General manager is. A company can never take just a computer
> > specialist
> >> >>>> into
> >> >>>> it's confidence, can never entrust all its commercial information to
> >> >>>> him.
> >> >>>
> >> >>> You are COMPLETELY WRONG. A good network admin will be vested in the
> >> >>> company with all their heart and desire. They will always look to
> >> >>> protect the network and it's data. They have full access to
> >> >>> everything
> >> >>> by default and can take ownership of anything they want. If you don't
> >> >>> trust the Admin then you are in a bad spot, as the Admin can do many
> >> >>> things without you even finding out about it.
> >> >>>
> >> >>> Now, to protect you against an rogue Admin, you need a second Admin
> > that
> >> >>> is used to check the other admin - in fact, both check each other for
> >> >>> doing things that should not be done. Both Admins have full access to
> >> >>> all resources, it's the nature of the networks.
> >> >>>
> >> >>> If you don't want an Admin to have access, then setup another
> >> >>> network,
> >> >>> managed by someone you trust at the moment, and don't give the Admin
> > any
> >> >>> access to it.
> >> >>>
> >> >>> In every company I've worked for or designed the network for, the
> > Admin
> >> >>> group (sometimes 1 person, but normally more than 1) has full access
> > to
> >> >>> all resources, even if they don't use them.
> >> >>>
> >> >>> If the Admin can't reach all resources, then they can't properly do
> >> >>> their job - which is Network security, Resource Protection, support
> >> >>> of
> >> >>> users, disaster recovery planning and testing, and monitoring for
> >> >>> unapproved activity (yea, there are more).
> >> >>>
> >> >>>
> >> >>> --
> >> >>> --
> >> >>> spam999free@rrohio.com
> >> >>> remove 999 in order to email me
> >> >>
> >> >
> >> >
> >>
> >
> >
>
>

--
--
spam999free@rrohio.com
remove 999 in order to email me
!