Restricting Domain Admin to files/file share?

[gmc8757]

I have a question regarding domain admins. I have a server here with very sensitive info. The files and folders themselves have very restrictive permissions for the end users. I need to find a way to restrict even the Domain Admins from this info. Right now a domain admin doesn't have permission to the files so they can't read the files as is, but he can just add themselves to the permissions, then they have all the access they want.

Is there anyway of restricting the domain admins group from this file share at all? If i take the server out of the domain, i lose all the users permissions. Any ideas?
Thanks a lot.

 

[gmc8757]

i know you can "Deny" domain admins to the security, but then the domain admin can remote desktop into the server and just change the permissions again.

I was thinking about some software that would put a password on the folder itself and just require the user to enter the password anytime they want to access it. including the domain admin, only they wouldn't know the password. Anyone know anything like this?

 

[RebateMonger]

Yeah, you'd have to use 3rd-party software and encrypt the files and folders. Don't lose the password and be sure the software is reliable! There's really no other way to lock out a knowledgeable Domain Administrator.

Unfortunately, some files (such as SQL databases) don't take well to encryption.

 

[gmc8757]

I haven't really found any good software to do this over the network. I've found software that will password protect the folder locally, but not across the net. I'll keep lookin i guess. Thanks.

 

[JDMnAR1]

Probably not the silver bullet you are looking for, but you can remove Domain Admins from the local Administrators group if you have local admin rights on the server in question. Just curious, but do you not have any kind of confidentiality agreement in place that prohibits your domain admins from accessing data on the network just because they can?

 

[gmc8757]

You think removing the domain admins is the best solution? We do have a policy in place, but we'd like to restrict them if we can.

 

[tommytran]

Look like you already have the solution.

-Remove domain admin account from the local admin group will prevent him from remote access the server.
-Share the folder with deny access to domain admin group will prevent him from accessing the content.

To remove domain account from the local admin group, Click Start ->Administrative Tools ->Computer Management and look under "Local Users and Groups"

Edit: remember to change the local admin password.

 

[gmc8757]

I think this is what we're going to do. I would rather find some software that will still allow the domain admins to be admins on the server but prompt for a totally different password when trying to access this one folder. If I can't find this software soon, i'm just going to do like we mentioned above. Thanks for the responses by the way.

 

[JDMnAR1]

You do realize that if you remove Domain Admins from the local Administrators group on the machine without authorization (from someone who can make it stick) you may be opening a can of worms best left alone. You know the old saying "Hell hath no fury like a woman scorned" - if it was writen in an IT shop it would involve circumvented admins instead of a scorned woman. Additionally, you would want to verify that doing this would not leave your server in a state where it can no longer be backed up, etc.

 

[gmc8757]

The backup thing is definitely a concern. I have to present to the dept the pros and cons of doing this. Basically...if we remove Domain Admins from local Admin group, we would give the Finance dept local administrative rights to the server and the IT dept would not know this password hence not having any admin rights to the server at all. I would have to make an AD user (where the Finance Dept sets the password again) that i can use with BackupExec to back the data up. Then...if i'm backing it up, what's to keep me from taking the backup tape and restoring it to a different server where i have admin rights and changing the permissions...nothing. Not to mention if finance forgets the local admin password of the server(i know you can change this with a bootable cd but i don't need to really tell them that part).

 

[RebateMonger]

Originally posted by: gmc8757
The backup thing is definitely a concern. I have to present to the dept the pros and cons of doing this. Basically...if we remove Domain Admins from local Admin group, we would give the Finance dept local administrative rights to the server and the IT dept would not know this password hence not having any admin rights to the server at all.

Right. And now you have a (supposedly) important Server with NOBODY who knows anything about Servers able to keep it running correctly. And, as you mentioned, it's likely the Domain Administrator will have access to the backups.

In the end, you have to trust your Domain Adminis. If you can't then get new ones.

 

[gmc8757]

This is good, i really appreciate your comments on this guys. I guess I can only show them what can be done and what I would recommend. At this point, I would recommend to keep it the way it is, there's only 4 domain admins, maybe going down to 3. Trust is a big issue i guess.

 

[JDMnAR1]

Originally posted by: RebateMonger
In the end, you have to trust your Domain Admins. If you can't then get new ones.

QFT.

 

[gmc8757]

I agree. what does QFT mean?

 

[tommytran]

Originally posted by: gmc8757
This is good, i really appreciate your comments on this guys. I guess I can only show them what can be done and what I would recommend. At this point, I would recommend to keep it the way it is, there's only 4 domain admins, maybe going down to 3. Trust is a big issue i guess.

I agree. Domain admin is the guy who know all the activity/confidential information on the network. This guy need to keep his mouth shut and get the job done. On the other hand, as a domain admin, I wouldn't work for a company that don't trust/restrict my ability to manage their network.

 

[gmc8757]

So this is what we figured out...i'll be the only domain admin with access...and i'm goign to change the local password and give it to two other people in the finance dept. I'll also deny domain Admins access to the share. I think this should work out pretty well. Backup shouldn't be a problem, and it restricts just about everyone else.