limiting files on server to one department

[Joseph]

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

Can anyone provide some possible solutions to this issue?

We have a Win2k file server in our office and there are a few confidential
directories that should ONLY be visible to specific departments like HR
and Payroll. Domain Admins should NOT be able to see files in the
confidential directories, yet they need to maintain the servers. What is
the best way to secure the confidential directories so that only HR and
Payroll can access them?

So far I've been told that EFS on Win2k is not a possible solution when
multiple people need access to the data, but Windows 2003's version of EFS
might be a solution I was told? Not sure. Or maybe there are better
solutions out there, possibly from a third party? Any help would be
appreciated!

Thanks

 

[pc]

Archived from groups: microsoft.public.win2000.security (More info?)

You could use pgp. With this you can encrypt a file with a password and give
this only to the specific users.

http://www.pgp.com/products/index.html


"Joseph" <josephs2004@email.com> wrote in message
newsan.2004.09.17.02.35.11.545952@email.com...
> Hello,
>
> Can anyone provide some possible solutions to this issue?
>
> We have a Win2k file server in our office and there are a few confidential
> directories that should ONLY be visible to specific departments like HR
> and Payroll. Domain Admins should NOT be able to see files in the
> confidential directories, yet they need to maintain the servers. What is
> the best way to secure the confidential directories so that only HR and
> Payroll can access them?
>
> So far I've been told that EFS on Win2k is not a possible solution when
> multiple people need access to the data, but Windows 2003's version of EFS
> might be a solution I was told? Not sure. Or maybe there are better
> solutions out there, possibly from a third party? Any help would be
> appreciated!
>
> Thanks

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Windows 2003/XP Pro allows XP EFS "files" to be shared by multiple users but not at
the folder level. If you have a lot of files that will be difficult to manage. I
don't know of a good third party solution offhand . --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx ---
how to share EFS files in XP Pro.

"Joseph" <josephs2004@email.com> wrote in message
newsan.2004.09.17.02.35.11.545952@email.com...
> Hello,
>
> Can anyone provide some possible solutions to this issue?
>
> We have a Win2k file server in our office and there are a few confidential
> directories that should ONLY be visible to specific departments like HR
> and Payroll. Domain Admins should NOT be able to see files in the
> confidential directories, yet they need to maintain the servers. What is
> the best way to secure the confidential directories so that only HR and
> Payroll can access them?
>
> So far I've been told that EFS on Win2k is not a possible solution when
> multiple people need access to the data, but Windows 2003's version of EFS
> might be a solution I was told? Not sure. Or maybe there are better
> solutions out there, possibly from a third party? Any help would be
> appreciated!
>
> Thanks

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Joseph <josephs2004@email.com> said

> Hello,
>
> Can anyone provide some possible solutions to this issue?
>
> We have a Win2k file server in our office and there are a few confidential
> directories that should ONLY be visible to specific departments like HR
> and Payroll. Domain Admins should NOT be able to see files in the
> confidential directories, yet they need to maintain the servers. What is
> the best way to secure the confidential directories so that only HR and
> Payroll can access them?
>

You just remove the domain admins from the list of users who have rights to
those files/folders.
The only way the domain admins can get access to them is to take ownership of
the folders which should then appear in the event logs (you do have auditing
turned on, don't you?). If you are concerned about the admins deleting the
logs, have a manager or other trusted person in your HR or Payroll department
check the ownership on the files and folders weekly/monthly, as the domain
admins can take ownership, but cannot pass it back without knowing the users
password. That's the primary reason why it's only possible to *take*
ownership, not grant ownership.

Backup programs will still be able to back up the files as they have the
permissions to impersonate any user.

> So far I've been told that EFS on Win2k is not a possible solution when
> multiple people need access to the data, but Windows 2003's version of EFS
> might be a solution I was told?

Even using EFS provides the domain admins with the rights to access the files
using the admin recovery certificate. You're better off just using NTFS
permissions and auditing.

--
Andy.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joseph wrote:
| Hello,
|
| Can anyone provide some possible solutions to this issue?
|
| We have a Win2k file server in our office and there are a few confidential
| directories that should ONLY be visible to specific departments like HR
| and Payroll. Domain Admins should NOT be able to see files in the
| confidential directories, yet they need to maintain the servers. What is
| the best way to secure the confidential directories so that only HR and
| Payroll can access them?
|
| So far I've been told that EFS on Win2k is not a possible solution when
| multiple people need access to the data, but Windows 2003's version of EFS
| might be a solution I was told? Not sure. Or maybe there are better
| solutions out there, possibly from a third party? Any help would be
| appreciated!
|
| Thanks

I think you ought to be thinking about 'who' is a domain admin as much
as anything in this situation.

One of the features of network administrators, good ones anyway, in my
experience is that they wouldn't dream of looking at files which they
were not authorised to view. The role is as much about trust and
integrity as it is about skills. I suspect that a skilled but
unprincipled admin could turn off auditing, do the permissions thing and
then re-enable it - and lets face it who is checking the audit
logs...... A clear case of 'quis custodiet ipsos custodes'.

A company wouldn't dream of hiring somebody as facilities manager (with
access to keys, alarms, etc) without considering "do we trust this
person?" as much as "can they do the job?". Network admins are analogous
roles and should be considered the same way.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBTpreqmlxlf41jHgRAnR0AKCuy8ozp0iXUN/gRL3KHZY5/34jvACgkS5H
47V+iG04kqQUAqvRKF/hhnw=
=BVwc
-----END PGP SIGNATURE-----