NT file system security

G

Guest

For a PC that runs WindowsXp Pro and being a member of a domain, can we
really protect all the files within a certain local hard disk folder
(including its subdirectories) from unauthorized access?

If the following are requirements:
- the group of domain administrators is always (in this case) set as one of
the local pc administrator.
- As usual, we have to allow the domain adminstrator to reset the user's
domain logon password
- access by the Domain administrator group has to be restricted too.
- these files cannot be accessed remotely by any person, including the
administrators
- The local, build-in Administrator account has a password known to the
Domain Administrator
- For example, our Finance Mgr is the only person to access these files and
we want him to be the only person having the key to those files.

My guess the following may be a solution (not too sure if this is correct ):
- while in the Domain user logon, create a folder XX with access restricted
to the domain account user of our Finance Mgr only
- at the end of a day the user must log-off from the Domain user account
- sign-on the pc with a LOCAL user name (not Domain user name) where he is
the only person having the password
- create a special folder LL, under C:\ drive
- set security/share permission to allow access to this folder by the
finance manager local account (who is the Creator) only
- create/move those files from other directories to this folder LL that
requires top-access restriction

I think the above should give the require security but I can't resolve one
problem (actually not sure if there is such a problem), The problem is: when
he needs to go back to the domain, (which is always the case) , can he access
or copy back these files from YY back to LL easily? If it prompts to enter a
password for the local user account, that is not a deal. But if not, is there
a solution?
 
L

Lanwench [MVP - Exchange]

ykffc said:
For a PC that runs WindowsXp Pro and being a member of a domain, can
we really protect all the files within a certain local hard disk
folder (including its subdirectories) from unauthorized access?
Click to expand...

Look into EFS.
If the following are requirements:
- the group of domain administrators is always (in this case) set as
one of the local pc administrator.
- As usual, we have to allow the domain adminstrator to reset the
user's domain logon password
- access by the Domain administrator group has to be restricted too.
- these files cannot be accessed remotely by any person, including the
administrators
- The local, build-in Administrator account has a password known to
the Domain Administrator
- For example, our Finance Mgr is the only person to access these
files and we want him to be the only person having the key to those
files.

My guess the following may be a solution (not too sure if this is
correct ): - while in the Domain user logon, create a folder XX with
access restricted to the domain account user of our Finance Mgr only
- at the end of a day the user must log-off from the Domain user
account
- sign-on the pc with a LOCAL user name (not Domain user name) where
he is the only person having the password
- create a special folder LL, under C:\ drive
- set security/share permission to allow access to this folder by the
finance manager local account (who is the Creator) only
- create/move those files from other directories to this folder LL
that requires top-access restriction

I think the above should give the require security
Click to expand...

No, this won't work. Administrators can take ownership of any unencrypted
files/folders and access them. And you don't want anyone to use a local
workstation account - always domain accounts (using cached credentials when
offsite). And no data should reside on a workstation hard drive - keep it
all on the server.
but I can't
resolve one problem (actually not sure if there is such a problem),
The problem is: when he needs to go back to the domain, (which is
always the case) , can he access or copy back these files from YY
back to LL easily? If it prompts to enter a password for the local
user account, that is not a deal. But if not, is there a solution?
Click to expand...

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
should be helpful. Be very careful. Encryption works. If you don't have a
backup of the certificate keys, and something goes awry, the data will be
inaccessible to all.
 
H

Harry Johnston

ykffc said:
If the following are requirements:
Click to expand...
- these files cannot be accessed remotely by any person, including the
administrators
Click to expand...

It isn't possible to prevent a malicious administrator from accessing a file (or
pretty much anything else). If is possible to prevent an administrator from
accidentally accessing a file they aren't supposed to.
- For example, our Finance Mgr is the only person to access these files and
we want him to be the only person having the key to those files.
Click to expand...

If you really want the Finance Manager to be the only person who can access the
files they will need to be on a stand-alone machine, preferably with no network
connection, which he administers himself and which is physically secured. You
also need to consider a backup system, and a recovery plan for the data if the
Finance Manager is no longer available for whatever reason.

Harry.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Mobile User - Temporary Admin Rights 3
Only local PC users available in security tab Add permissions 3
strange problem with local login accessing domain resources 2
can not add myself into the local admin group. But am the Domain A 1
Two domain accounts pointing to same profile folder 1
How can I enable builtin administrator account on Vista with stn u 1
Do I need a Local admin account? 2
Deny Logon Locally 6

Top