What is the best way to restrict access to Domain Admins on certainfolders?

  • Thread starter Thread starter Ravi
  • Start date Start date
R

Ravi

Some of the folders in our file system contain sensitive financial
data. The file server is managed by our IT department. How do I
restrict the people in Domain Admins group (some of them are from IT
Department) from accessing sensitive data? If I remove read
permissions to Domain Admins, backup jobs may fail
 
Re: What is the best way to restrict access to Domain Admins on certain folders?

Try checking out some of the many replies you've received to your many posts
in other newsgroups.

--
Kerry Brown
MS-MVP - Windows Desktop Experience: Systems Administration
http://www.vistahelp.ca/phpBB2/



"Ravi" wrote in message
news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@e23g2000prf.googlegroups.com...
> Some of the folders in our file system contain sensitive financial
> data. The file server is managed by our IT department. How do I
> restrict the people in Domain Admins group (some of them are from IT
> Department) from accessing sensitive data? If I remove read
> permissions to Domain Admins, backup jobs may fail
 
Re: What is the best way to restrict access to Domain Admins on certain folders?

ACLs won't help to *really* restrict access - Domain Admins can typically
take ownership and change permissions directly or indirectly.

EFS with DRA's that *are not* the Domain Admins but trusted individuals is
the best option off the top of my head. If the DRA and user key pairs and
and associated certificates are properly protected (stored on Smart Cards),
this is pretty much the best it can get without third party components.

Regards,
Dob

--
---
HTH,
Dobromir

Learn more about Security and Identity Management:
Visit http://www.iamechanics.com

"Ravi" wrote in message
news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@e23g2000prf.googlegroups.com...
> Some of the folders in our file system contain sensitive financial
> data. The file server is managed by our IT department. How do I
> restrict the people in Domain Admins group (some of them are from IT
> Department) from accessing sensitive data? If I remove read
> permissions to Domain Admins, backup jobs may fail
 
Re: What is the best way to restrict access to Domain Admins oncertain folders?

On Mar 19, 10:06 pm, "Dobromir Todorov" wrote:
> ACLs won't help to *really* restrict access - Domain Admins can typically
> take ownership and change permissions directly or indirectly.
>
> EFS with DRA's that *are not* the Domain Admins but trusted individuals is
> the best option off the top of my head. If the DRA and user key pairs and
> and associated certificates are properly protected (stored on Smart Cards),
> this is pretty much the best it can get without third party components.
>
> Regards,
> Dob
>
> --
> ---
> HTH,
> Dobromir
>
> Learn more about Security and Identity Management:
> Visithttp://www.iamechanics.com
>
> "Ravi" wrote in message
>
> news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@e23g2000prf.googlegroups.com...
>
>
>
> > Some of the folders in our file system contain sensitive financial
> > data. The file server is managed by our IT department. How do I
> > restrict the people in Domain Admins group (some of them are from IT
> > Department) from accessing sensitive data? If I remove read
> > permissions to Domain Admins, backup jobs may fail- Hide quoted text -
>
> - Show quoted text -

Thank you. Looks like this will be the best solution for our scenario.
 
Re: What is the best way to restrict access to Domain Admins on certain folders?

"Ravi" wrote in message
news:bcb0ff16-dced-4ad3-89d0-b866e81b552e@e23g2000prf.googlegroups.com...
> Some of the folders in our file system contain sensitive financial
> data. The file server is managed by our IT department. How do I
> restrict the people in Domain Admins group (some of them are from IT
> Department) from accessing sensitive data? If I remove read

oh my !! you mean some are not !!

> permissions to Domain Admins, backup jobs may fail

Most backup software will not fail if there is no grant to the
account used to run the backup as backup software uses a set
of APIs for backup/restore that is exempt from NTFS ACLing
checks/control.

Your best approach is to store the data on a machine that is
not domain joined or to acquire and use a rights management
package. Use of EFS can be problematic in that you likely have
this placed in the filesystem so that a number of people can have
access to it, but that can be a pain with EFS (yes, someone that
can decrypt the file can add another account to the ability, but
in practice this is not as convenient as one might like).

Roger
 

Similar threads

A
Microsoft Security Exposure Management Graph: unveiling the power
Replies
0
Views
25
andreykarpovsky
A
AWS
Microsoft 365 Admin Monthly Digest – April 2023
Replies
0
Views
129
AWS
AWS
AWS
Windows 365 Frontline is now generally available
Replies
0
Views
114
AWS
AWS
AWS
September 2023 - Microsoft 365 US Public Sector Roadmap Newsletter
Replies
0
Views
157
AWS
AWS
AWS
Monthly news - June 2024
Replies
0
Views
16
AWS
AWS
Back
Top