+ Reply to Thread
Results 1 to 13 of 13
  1. Junior Member Registered Member
    Join Date
    May 2012
    Posts
    1
    #1

    Default Deny Domain Admins Access to Folders

    Hi everyone,

    Great forum you have here, lots of good info!

    Is there away to simply exclude domain administrators from accessing files and directories? Example: A human resources folder that should be "For your eyes only" to the human resource people.

    I know we should "trust the domain admins... etc, etc." But is there a way to do this. Sure, perhaps they will be able to take ownership but that would certainly generate a unique event in the event log.

    Any ideas on how to do this would be greatly appreciated. And if it is a simple process please accept my apologies in advance for my ignorance on this matter.
    Reply With Quote Quote  

  2. SS -->
  3. Junior Member Registered Member
    Join Date
    Jun 2012
    Posts
    7
    #2
    There is a reason they are called "domain administrators". Even if you lock the folder/file with only users/group needing access, admins can take the ownership of an AD object and change the permissions to gain access. In order to generate log entries for events like this, auditing must be enabled and assigned to the protected resource. Admins can disable the auditing to prevent the log entry. So every way you look at it, you are in a hole.

    The are two remedies for this situation. You need to come up with a corporate policy about who can access and what in HR network resources. Hire a dependable network admins. You are giving someone access to your critical business data and should do your homework.
    Reply With Quote Quote  

  4. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #3
    While there are conceivable means to truly prevent access, they are generally so counterproductive or costly that they are impractical. However, one can reasonably implement auditing systems that could detect if an administrator accessed files such that said administrator could easily be detected. So while preventing access to files is generally impractical in that type of scenario, logging file access is easy.

    If you really want to look at ways to prevent privileged IT administrators from accessing files on systems for which they are responsible, they do exist, but outside of matters involving military or state secrets they are generally impractical and unnecessary. There needs to be some level of trust for certain individuals, and ultimately if they are not trustworthy they're going to be able to do some damage no matter what controls are in place.

    For something like human resources specifically, it makes more sense to outsource HR resources to a system not controlled by IT. This would generally be sufficient, though it should go without saying that a privileged individual could often still gain access through various simple means at his or her disposal (install a keylogger, reset password via email, etc.).
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #4
    Welcome to TE.

    The most cost-effective method to prevent domain admins from accessing confidential material on a network share is to deploy a network share encryption mechanism. It could be as simple as using Winzip archives where the password is only known to the privileged users or using open-source tools like TrueCrypt - TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux

    This method will still give you the benefit of file sharing, file replication, backups. While maintaining confidentiality to the correct folks.

    There are commercial solutions as well - check out Symantec - Encrypt Files: Folder & Server Encryption | Symantec and there are other vendors with similar such as McAfee, Entrust, etc.

    I haven't looked into the access mechanims of Windows EFS - but that could a be possibility as well.

    Depending on the size of the organization that you are supporting and the number of locations - TrueCrypt may suffice.
    Last edited by paul78; 06-17-2012 at 05:54 PM.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Aug 2011
    Posts
    683

    Certifications
    CCNA/CCNA:V/ATSA-IN
    #5
    We had an IT Policy where you had an "admin" account and a DA account, if you logged into the DA account it sent a netmsg to the directors etc, and you had to sign out the DA account for X amount of time and auditing was configured. IT Policy is the best way to go
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Apr 2012
    Location
    Sahuarita AZ
    Posts
    472

    Certifications
    MCSE
    #6
    I would agree that polices and auditing is the correct way to go here. There needs to be some level of trust with the IT staff. Not to mention if you use a third party encryption then there is a possibility the files could be lost and not recoverable which is not acceptable.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Feb 2012
    Posts
    2,426
    #7
    Quote Originally Posted by netsysllc View Post
    There needs to be some level of trust with the IT staff.
    Unfortunately, this is not always about trust. There is data that sometimes are strictly not for all eyes. And leakage of that data couldn't cause irreparable harm to the business. For example, a pending merger or sales, HR information such as layoffs, personally identifiable information, etc. etc.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Oct 2010
    Posts
    857

    Certifications
    CISSP, CEH
    #8
    Quote Originally Posted by paul78 View Post
    Unfortunately, this is not always about trust. There is data that sometimes are strictly not for all eyes. And leakage of that data couldn't cause irreparable harm to the business. For example, a pending merger or sales, HR information such as layoffs, personally identifiable information, etc. etc.
    This is true, but in a lot of cases the company should have NDA's and memorandums for their administrators to sign. This way they are held accountable for their actions and still administer the network.

    You can lock this stuff down so that domain admins cannot look into the file. I do like the idea of encrypting the files but what happens if the individual forgets the password, etc? Disaster recovery plans need to be made and policy structure.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Apr 2012
    Location
    Philippines
    Posts
    800

    Certifications
    MCSA Win7, MCSA 2003 & 2008, MCS, CCNA, VCP5
    #9
    Why not just keep those sensitive files on a USB drive?
    Reply With Quote Quote  

  11. Senior Member cyberguypr's Avatar
    Join Date
    May 2007
    Location
    Chicago, IL
    Posts
    5,774

    Certifications
    GCFE, GCED, GCIH, CISSP, CCSP, and others that should never be mentioned
    #10
    Even better, a floppy disk. HA!
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Apr 2012
    Location
    Philippines
    Posts
    800

    Certifications
    MCSA Win7, MCSA 2003 & 2008, MCS, CCNA, VCP5
    #11
    Why not? It's got the write protection switch so the files will be protected from the evil admin
    Reply With Quote Quote  

  13. Senior Member pizzaboy's Avatar
    Join Date
    Feb 2006
    Location
    Barbados, Caribbean
    Posts
    219

    Certifications
    Network+,MCSA:2003, MCTS: Win7
    #12
    lol that's funny
    God deserves my best
    Reply With Quote Quote  

  14. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,088

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #13
    HR managing their own encryption works until someone forgets their password, leaves the company, etc. If using freebie tools, that will happen sooner or later. If using something like EFS in Windows, that's still a risk unless an enterprise PKI is set up with recovery agents, etc, but then you're giving the domain admin the control again.

    The only other thing I could think of is to give the HR folks their own domain or a standalone server that is not managed by the domain, and make them in charge of backing everything up, etc. When IS support is required, give them the admin password and change it after the support request is fulfilled.

    IMO, I agree with the others above, auditing, and not allowing domain admins to generally log in with their DA credentials is a good way to go. Really, you should have very, very few domain admins anyway. If you are not managing group policy or adding/removing domain controllers, you don't need to be using a DA account.
    IT guy since 12/00

    Recent: 3/22/2017 - Passed Microsoft 70-412; 2/11/2017 - Completed VCP6-DCV (passed 2V0-621)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), more Linux, AWS Solution Architect (Associate)
    Thinking about: VCP6-CMA, MCSA 2016, Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks