| Author |
Message |
Bill Zimmerman
Guest
|
 Posted:
Fri Dec 10, 2004 4:57 am Post subject:
Privacy from Everyone |
|
|
Is there any way to keep files/folders on a Windows 2003 server private for
an individual user, even from the system administrator? |
|
| Back to top |
|
 |
Miha Pihler
Guest
|
| Posted:
Fri Dec 10, 2004 10:43 pm Post subject:
Re: Privacy from Everyone |
|
|
Hi Bill,
To prevent access to your files from ordinary users, you can always use NTFS
and set permissions on your files and folders.
Keeping files away from administrator is a bit harder -- specially if
administrator knows what he/she is doing. You could use EFS (Encrypted Files
System) to protect you files on hard drive, but if administrator has setup
DRA (Data Recovery Agent) he can use this agent account to open and view the
content of any encrypted file.
I usually explain to my users, that there is no privacy from administrators
on the company network and on company owned computers.
Last option that you can use is to have your personal files on USB drive.
Plug it into computer, work on the file. Once you are done, unplug USB drive
and store it in a safe place.
Some USB drives even allow you to protect data with additional password
before you can access information stored on USB drive.
Mike
"Bill Zimmerman" <wzimmerman@masifl.com> wrote in message
news:XL4ud.446$Sp3.380@newsread3.news.atl.earthlink.net...
| Quote: | Is there any way to keep files/folders on a Windows 2003 server private
for an individual user, even from the system administrator?
|
|
|
| Back to top |
|
|
Roger Abell
Guest
|
| Posted:
Sun Dec 12, 2004 4:32 am Post subject:
Re: Privacy from Everyone |
|
|
EFS used in an environment where the DRA either does
not have the private key loaded, or where the DRA is a
strictly controlled account subject to complete monitoring
and usage accountability.
If a rogue admin attempts to access the EFS protected data
it must either be by use of the EFS-entitled account, or by
use of the DRA account. If access is attempted via the entitled
account, then the admin needs to get processes running as that
account. For most admin this means being able to log in as
that account - but as you say this is post-W2k this cannot be
accomplished by changing the password and logging in as
changing the password will break EFS accessibility for the
entitled account.
Any storage can be set so that it is accessible only by a
specific account. An admin could obtain access, but not
accidently with a click. If this strategy is used, then tight
control is needed over the backup and restore privileges
and their use, and monitoring of the storage area for any
change in ACLing and of the account's password for any
changes (with subsequest restore).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Bill Zimmerman" <wzimmerman@masifl.com> wrote in message
news:XL4ud.446$Sp3.380@newsread3.news.atl.earthlink.net...
| Quote: | Is there any way to keep files/folders on a Windows 2003 server private
for
an individual user, even from the system administrator?
|
|
|
| Back to top |
|
|
Bill Zimmerman
Guest
|
| Posted:
Fri Dec 17, 2004 9:18 pm Post subject:
Re: Privacy from Everyone |
|
|
Is there any problem using a package like Cryptainer?
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:%23L4$Wdt3EHA.1564@TK2MSFTNGP09.phx.gbl...
| Quote: | Hi Bill,
To prevent access to your files from ordinary users, you can always use
NTFS and set permissions on your files and folders.
Keeping files away from administrator is a bit harder -- specially if
administrator knows what he/she is doing. You could use EFS (Encrypted
Files System) to protect you files on hard drive, but if administrator has
setup DRA (Data Recovery Agent) he can use this agent account to open and
view the content of any encrypted file.
I usually explain to my users, that there is no privacy from
administrators on the company network and on company owned computers.
Last option that you can use is to have your personal files on USB drive.
Plug it into computer, work on the file. Once you are done, unplug USB
drive and store it in a safe place.
Some USB drives even allow you to protect data with additional password
before you can access information stored on USB drive.
Mike
"Bill Zimmerman" <wzimmerman@masifl.com> wrote in message
news:XL4ud.446$Sp3.380@newsread3.news.atl.earthlink.net...
Is there any way to keep files/folders on a Windows 2003 server private
for an individual user, even from the system administrator?
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in