Locking folders to prevent other system admins access

mplutodh1

Senior member
Nov 26, 2004
305
0
0
Is it possible to prevent other system admins access to folders in windows 2003 server? i have 3 system admins on my server just because we all are trying to learn with it but I am going to store some of my business files on there as backup but don't want the other admins to have access to that folder. Can I do this and prevent them from changing the permissions some how?
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: mplutodh1
Is it possible to prevent other system admins access to folders in windows 2003 server? i have 3 system admins on my server just because we all are trying to learn with it but I am going to store some of my business files on there as backup but don't want the other admins to have access to that folder. Can I do this and prevent them from changing the permissions some how?

If they are full admin they can change whatever they want. You can deny them the rights on the folder, but they can take control of the folder if they'd like - but you can audit that so you'd know what they've done if you'd like.
 

mplutodh1

Senior member
Nov 26, 2004
305
0
0
Honestly its not a HUGE issue I just really don't want business data to be messed with, too risky for me. I know they probably wouldnt, or else I wouldnt trust them to have access as admins, maybe I'll just leave the server the way it is and store mp3s and crap on it instead.

Then work with setting up a VPN that my desktop can be in for me to access elsewhere.
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: mplutodh1
Honestly its not a HUGE issue I just really don't want business data to be messed with, too risky for me. I know they probably wouldnt, or else I wouldnt trust them to have access as admins, maybe I'll just leave the server the way it is and store mp3s and crap on it instead.

Then work with setting up a VPN that my desktop can be in for me to access elsewhere.

If it's not a huge issue, and you basically trust them, then turn on 2003's auditing and deny access to their accounts for that folder. They lose access, and you can set it up so you get paged/e-mailed if they ever change rights to that folder.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: dclive
Originally posted by: M00T
Encryption.


If they're admins they can create an account that will let them decrypt the files.

Only if you use the built in EFS. If you use PGP/GnuPG or another (probably lesser) product, you should be relatively safe.
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Re: Other's posting of encryption - how will that prevent others from erasing the files by accident?

I still see limiting access with the deny flag the best way to handle this...
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: dclive
Re: Other's posting of encryption - how will that prevent others from erasing the files by accident?

I still see limiting access with the deny flag the best way to handle this...

You make it a non-issue. If you deny them access they would actively have to modify the file's permissions to be able to delete it. If they have to do that, it isn't an accident. ;)

The encryption keeps the contents safe, proper precautions (GOOD backups, key security, etc.) are still important.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: dclive
Right. :) That's why I believe denying access is the best solution. :)

It's a partial solution, at best. With the encryption, the data cannot be messed with (as per a requirement from the OP), but with just denying access the files can.
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Agreed, the files can be messed with - that would require specific action (take control) on the part of the other admins.

Encryption is good if it is believed that someone is going to actively go after the files; I completely agree. I was positing that the other admins wouldn't do that given the OPs general comments.