Log access or prevent access to private/confidential information.

Hi,

I would like to be able to log access to my folders from the network. That
is, I want to know when an administrator has accessed my drive. I have
private/confidential information on my PC and do not want administrators to
be able to access it, unless I give explicit permission. How can I achieve
this?

Thanks,


Robin.

Ask your administrators.

--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Robin Tucker" wrote in message =
...
Hi,
=20
I would like to be able to log access to my folders from the network. =
That=20
is, I want to know when an administrator has accessed my drive. I =
have=20
private/confidential information on my PC and do not want =
administrators to=20
be able to access it, unless I give explicit permission. How can I =
achieve=20
this?
=20
Thanks,
=20
=20
Robin.=20
=20

In ,
Robin Tucker had this to say:

My reply is at the bottom of your sent message:

Hi,

I would like to be able to log access to my folders from the network.
That is, I want to know when an administrator has accessed my drive. I
have private/confidential information on my PC and do not want
administrators to be able to access it, unless I give explicit
permission. How can I achieve this?

Thanks,


Robin.

As has been mentioned by David Candy, ask them. If you have, as it seems,
administrators then the implication is that the PC doesn't belong to you.
Private/confidential information should not really be kept on property not
belonging to you and the company has a right (and perhaps and obligation) to
monitor the contents of their property. Given that they're the admins and
likely able to access your account at any time (and probably have rules
regarding third party software installations) your best bet would be to
accept that anything you put on the work computer belongs, by default, to
the company or at least gives them rights to access it with or without your
consent.

Your personal computing should probably be done at home -- if you want to
keep your job. More and more companies, for various reasons, are starting to
not only monitor internet access but files on their PCs. With the increase
in various regulations (Sarbox, HIPPA, etc) it's in your best interest to
really keep your personal, private, and confidential data on a system that
you are the only administrator of. Note that this is mostly a U.S. thing
though the EU and surely other countries have similar policies.

Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes

Yes, it is company property. No, I am not asking that MY PERSONAL
INFORMATION be locked down. The administrators should not have the right to
view any/all information, some of which is potentially confidential such as,
for example, Personel Records. No I am not a n00b sitting in a cubicle
passing wind every 30 seconds. I am genuiunely asking this question, for
the purposes of security of personal information. How can we allow
administration of a network/domain, but protect information from prying
eyes, be they administrators or not.

Thankyou.



"Galen" wrote in message
...
In ,
Robin Tucker had this to say:

My reply is at the bottom of your sent message:

Hi,

I would like to be able to log access to my folders from the network.
That is, I want to know when an administrator has accessed my drive. I
have private/confidential information on my PC and do not want
administrators to be able to access it, unless I give explicit
permission. How can I achieve this?

Thanks,


Robin.

As has been mentioned by David Candy, ask them. If you have, as it seems,
administrators then the implication is that the PC doesn't belong to you.
Private/confidential information should not really be kept on property not
belonging to you and the company has a right (and perhaps and obligation)
to monitor the contents of their property. Given that they're the admins
and likely able to access your account at any time (and probably have
rules regarding third party software installations) your best bet would be
to accept that anything you put on the work computer belongs, by default,
to the company or at least gives them rights to access it with or without
your consent.

Your personal computing should probably be done at home -- if you want to
keep your job. More and more companies, for various reasons, are starting
to not only monitor internet access but files on their PCs. With the
increase in various regulations (Sarbox, HIPPA, etc) it's in your best
interest to really keep your personal, private, and confidential data on a
system that you are the only administrator of. Note that this is mostly a
U.S. thing though the EU and surely other countries have similar policies.

Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes

You need to ask your administrators how to do this. Admins can't =
secretly peek at your documents. They are in charge and may prefer you =
to do it their way. They are the experts in your company on this =
subject. But basically you can't stop them but nor can they do it =
secretly.

Admins are used to concerns like this. To take action without their =
approval could be a criminal offense.
--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Robin Tucker" wrote in message =
...
Yes, it is company property. No, I am not asking that MY PERSONAL=20
INFORMATION be locked down. The administrators should not have the =
right to=20
view any/all information, some of which is potentially confidential =
such as,=20
for example, Personel Records. No I am not a n00b sitting in a =
cubicle=20
passing wind every 30 seconds. I am genuiunely asking this question, =
for=20
the purposes of security of personal information. How can we allow=20
administration of a network/domain, but protect information from =
prying=20
eyes, be they administrators or not.
=20
Thankyou.
=20
=20
=20
"Galen" wrote in message=20
...
In ,
Robin Tucker had this to say:

My reply is at the bottom of your sent message:

Hi,

I would like to be able to log access to my folders from the =
network.
That is, I want to know when an administrator has accessed my drive. =
I=20
have private/confidential information on my PC and do not want
administrators to be able to access it, unless I give explicit
permission. How can I achieve this?

Thanks,


Robin.

As has been mentioned by David Candy, ask them. If you have, as it =
seems,=20
administrators then the implication is that the PC doesn't belong to =
you.=20
Private/confidential information should not really be kept on =
property not=20
belonging to you and the company has a right (and perhaps and =
obligation)=20
to monitor the contents of their property. Given that they're the =
admins=20
and likely able to access your account at any time (and probably have =

rules regarding third party software installations) your best bet =
would be=20
to accept that anything you put on the work computer belongs, by =
default,=20
to the company or at least gives them rights to access it with or =
without=20
your consent.

Your personal computing should probably be done at home -- if you =
want to=20
keep your job. More and more companies, for various reasons, are =
starting=20
to not only monitor internet access but files on their PCs. With the=20
increase in various regulations (Sarbox, HIPPA, etc) it's in your =
best=20
interest to really keep your personal, private, and confidential data =
on a=20
system that you are the only administrator of. Note that this is =
mostly a=20
U.S. thing though the EU and surely other countries have similar =
policies.

Galen
--=20

"You know that a conjurer gets no credit when once he has explained =
his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after =
all."

Sherlock Holmes
=20
=20

In ,
Robin Tucker had this to say:

My reply is at the bottom of your sent message:

Yes, it is company property. No, I am not asking that MY PERSONAL
INFORMATION be locked down. The administrators should not have the
right to view any/all information, some of which is potentially
confidential such as, for example, Personel Records. No I am not a
n00b sitting in a cubicle passing wind every 30 seconds. I am
genuiunely asking this question, for the purposes of security of
personal information. How can we allow administration of a
network/domain, but protect information from prying eyes, be they
administrators or not.
Thankyou.



"Galen" wrote in message
...
In ,
Robin Tucker had this to say:

My reply is at the bottom of your sent message:

Hi,

I would like to be able to log access to my folders from the
network. That is, I want to know when an administrator has accessed
my drive. I have private/confidential information on my PC and do
not want administrators to be able to access it, unless I give
explicit permission. How can I achieve this?

Thanks,


Robin.

As has been mentioned by David Candy, ask them. If you have, as it
seems, administrators then the implication is that the PC doesn't
belong to you. Private/confidential information should not really be
kept on property not belonging to you and the company has a right
(and perhaps and obligation) to monitor the contents of their
property. Given that they're the admins and likely able to access
your account at any time (and probably have rules regarding third
party software installations) your best bet would be to accept that
anything you put on the work computer belongs, by default, to the
company or at least gives them rights to access it with or without
your consent. Your personal computing should probably be done at home --
if you
want to keep your job. More and more companies, for various reasons,
are starting to not only monitor internet access but files on their
PCs. With the increase in various regulations (Sarbox, HIPPA, etc)
it's in your best interest to really keep your personal, private,
and confidential data on a system that you are the only
administrator of. Note that this is mostly a U.S. thing though the
EU and surely other countries have similar policies. Galen
--

"You know that a conjurer gets no credit when once he has explained
his trick; and if I show you too much of my method of working, you
will come to the conclusion that I am a very ordinary individual after
all." Sherlock Holmes

As has been pointed out already you really can't. The admin can simply take
your account, kill your password, use your encrypted files, and take
ownership of any file they want. Depending on whom you work for or where you
live I'd contend that they CAN do so without prior notice legally. There's
the moral issue but, well, the PC doesn't belong to you. In my country, the
USA, they don't need your permission to look at the computer's files - they
need the permission of the owner of the computer.

One of the main concerns here is that you'd want to be able to allow these
same admins, whom you're trying to keep out, to be able to recover your PC
and it's information in the event of failure. If the problem is trust then
perhaps you need better admins or an established corporate policy dealing
with this. A third party encryption tool (properly used with a strong
password and at least 128 bit encryption) would do you well and if allowed
to be configured/installed would suit your needs. Again, this likely
violates any policy you may have in place or certainly makes the admin's job
more difficult when things go corrupted/kabloey and you need recovery. Who
then, for instance, would you trust to be the person to hold the second copy
of the key for opening these files? The admin or a sticky pad stuck to the
underside of your desk?

Following the directions below, using encryption and file permissions, is
just false security. Any admin worth their salt still has complete access.
It might take an extra two or three minutes to figure out what you've done
but, well, fortunately encrypted files come pre-colored so you know which
ones they are. Grabbing ownership of a file is all of thirty seconds work at
best. Installing a third party encryption tool without sanction from your
boss is a "sackable" offense. Failure to provide a fail-safe should that
encrypted file become corrupt is also a fireable offense too.

The best options are to ask the admin and your supervisor. Write up an email
and CC it to both your boss and the head of your IT Department describing
what you want to do, why, and your goals. Your goals being pretty simple
(and honorable from my perspective) in that you're trying to keep
personal/HR-type data private for the sake of the employees? Explaining that
and finding a compromise is the goal - not complete usurpation of ability
(nor false sense of security) which is sure to result in disciplinary
actions in any reputable business. Please don't think for a minute that I
don't think you're justified in your ideals but rather your methods are
subject to some very basic flaws which I believe I've covered above.

Galen
--

"You know that a conjurer gets no credit when once he has explained his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after all."

Sherlock Holmes

"Robin Tucker" wrote in message
...
Hi,

I would like to be able to log access to my folders from the network.
That is, I want to know when an administrator has accessed my drive. I
have private/confidential information on my PC and do not want
administrators to be able to access it, unless I give explicit permission.
How can I achieve this?

Thanks,


Robin.

Robin,

I don't think you can log access to folders. I've certainly not come across
a way to do it.

In terms of preventing administrators or any others from accessing your
folders, there are a few options:

1. Use file permissions. Using windows explorer, right click the folder you
want to protect, select properties. Then on the "Security" tab you have
control over who has permissions to view, edit, etc on the folder. To stop
system administrators I think you will need to revoke access to
"Administrators". But review each of the permissions because I think the
logic is to grant access to someone if they have access via any of the
accounts/groups listed. You will also need to consider permissions on the
files themselves. If you can't view or change the security permissions then
its likely that the system administrators have locked this out - after all,
fiddling with the file permissions in say the windows folder and you could
break your system.

2. Encrypt your files. If you have your disk formatted NTFS then you can
encrypt files (file properties general Advanced), but if you encrypt a
file then I think that only you can read it - which isn't any good if you
need to share the file with anyone else.

Hope this helps,

Brian.

www.cryer.co.uk/brian

This is exactly the information I needed. Thankyou very much.

"Brian Cryer" wrote in message
...
"Robin Tucker" wrote in message
...
Hi,

I would like to be able to log access to my folders from the network.
That is, I want to know when an administrator has accessed my drive. I
have private/confidential information on my PC and do not want
administrators to be able to access it, unless I give explicit
permission. How can I achieve this?

Thanks,


Robin.

Robin,

I don't think you can log access to folders. I've certainly not come
across a way to do it.

In terms of preventing administrators or any others from accessing your
folders, there are a few options:

1. Use file permissions. Using windows explorer, right click the folder
you want to protect, select properties. Then on the "Security" tab you
have control over who has permissions to view, edit, etc on the folder. To
stop system administrators I think you will need to revoke access to
"Administrators". But review each of the permissions because I think the
logic is to grant access to someone if they have access via any of the
accounts/groups listed. You will also need to consider permissions on the
files themselves. If you can't view or change the security permissions
then its likely that the system administrators have locked this out -
after all, fiddling with the file permissions in say the windows folder
and you could break your system.

2. Encrypt your files. If you have your disk formatted NTFS then you can
encrypt files (file properties general Advanced), but if you encrypt a
file then I think that only you can read it - which isn't any good if you
need to share the file with anyone else.

Hope this helps,

Brian.

www.cryer.co.uk/brian

Admins can take ownership of any file. File permissions won't help. =
Admins can reset the user's password and login and access encrypted =
files.

--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Brian Cryer" wrote in message =
...
"Robin Tucker" wrote in message=20
...
Hi,

I would like to be able to log access to my folders from the network. =

That is, I want to know when an administrator has accessed my drive. =
I=20
have private/confidential information on my PC and do not want=20
administrators to be able to access it, unless I give explicit =
permission.=20
How can I achieve this?

Thanks,


Robin.
=20
Robin,
=20
I don't think you can log access to folders. I've certainly not come =
across=20
a way to do it.
=20
In terms of preventing administrators or any others from accessing =
your=20
folders, there are a few options:
=20
1. Use file permissions. Using windows explorer, right click the =
folder you=20
want to protect, select properties. Then on the "Security" tab you =
have=20
control over who has permissions to view, edit, etc on the folder. To =
stop=20
system administrators I think you will need to revoke access to=20
"Administrators". But review each of the permissions because I think =
the=20
logic is to grant access to someone if they have access via any of the =

accounts/groups listed. You will also need to consider permissions on =
the=20
files themselves. If you can't view or change the security =
permissions then=20
its likely that the system administrators have locked this out - after =
all,=20
fiddling with the file permissions in say the windows folder and you =
could=20
break your system.
=20
2. Encrypt your files. If you have your disk formatted NTFS then you =
can=20
encrypt files (file properties general Advanced), but if you =
encrypt a=20
file then I think that only you can read it - which isn't any good if =
you=20
need to share the file with anyone else.
=20
Hope this helps,
=20
Brian.
=20
www.cryer.co.uk/brian
=20

Yes indeed they can. But a reset password will give me some indication that
this has been done.

Note: I am not seeking to make sure this information *cannot ever be access
by any administrator at any time*, I am merely wanting such information to
be accessed with my or my managers permission in such circumstances as this
may be neccessary. With this method, my manager can, if required gain
access to the data by asking the administrator to reset the password.



"David Candy" . wrote in message
...
Admins can take ownership of any file. File permissions won't help. Admins
can reset the user's password and login and access encrypted files.

--
--------------------------------------------------------------------------------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=================================================
"Brian Cryer" wrote in message
...
"Robin Tucker" wrote in message
...
Hi,

I would like to be able to log access to my folders from the network.
That is, I want to know when an administrator has accessed my drive. I
have private/confidential information on my PC and do not want
administrators to be able to access it, unless I give explicit
permission.
How can I achieve this?

Thanks,


Robin.

Robin,

I don't think you can log access to folders. I've certainly not come
across
a way to do it.

In terms of preventing administrators or any others from accessing your
folders, there are a few options:

1. Use file permissions. Using windows explorer, right click the folder
you
want to protect, select properties. Then on the "Security" tab you have
control over who has permissions to view, edit, etc on the folder. To stop
system administrators I think you will need to revoke access to
"Administrators". But review each of the permissions because I think the
logic is to grant access to someone if they have access via any of the
accounts/groups listed. You will also need to consider permissions on the
files themselves. If you can't view or change the security permissions
then
its likely that the system administrators have locked this out - after
all,
fiddling with the file permissions in say the windows folder and you could
break your system.

2. Encrypt your files. If you have your disk formatted NTFS then you can
encrypt files (file properties general Advanced), but if you encrypt a
file then I think that only you can read it - which isn't any good if you
need to share the file with anyone else.

Hope this helps,

Brian.

www.cryer.co.uk/brian

What's the point of this. It's exactly the same as if you don't do =
anything (you'll kmow if they access it). Talk to your admins, this is =
admins area of professional expertise. And unlike silly girls out of =
their depths they'll consider lots of other factors incl data recovery.





--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Robin Tucker" wrote in message =
...
=20
Yes indeed they can. But a reset password will give me some =
indication that=20
this has been done.
=20
Note: I am not seeking to make sure this information *cannot ever be =
access=20
by any administrator at any time*, I am merely wanting such =
information to=20
be accessed with my or my managers permission in such circumstances as =
this=20
may be neccessary. With this method, my manager can, if required gain =

access to the data by asking the administrator to reset the password.
=20
=20
=20
"David Candy" . wrote in message=20
...
Admins can take ownership of any file. File permissions won't help. =
Admins=20
can reset the user's password and login and access encrypted files.
=20
--=20
=
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Brian Cryer" wrote in message=20
...
"Robin Tucker" wrote in message
...
Hi,

I would like to be able to log access to my folders from the =
network.
That is, I want to know when an administrator has accessed my drive. =
I
have private/confidential information on my PC and do not want
administrators to be able to access it, unless I give explicit=20
permission.
How can I achieve this?

Thanks,


Robin.

Robin,

I don't think you can log access to folders. I've certainly not come=20
across
a way to do it.

In terms of preventing administrators or any others from accessing =
your
folders, there are a few options:

1. Use file permissions. Using windows explorer, right click the =
folder=20
you
want to protect, select properties. Then on the "Security" tab you =
have
control over who has permissions to view, edit, etc on the folder. To =
stop
system administrators I think you will need to revoke access to
"Administrators". But review each of the permissions because I think =
the
logic is to grant access to someone if they have access via any of =
the
accounts/groups listed. You will also need to consider permissions on =
the
files themselves. If you can't view or change the security =
permissions=20
then
its likely that the system administrators have locked this out - =
after=20
all,
fiddling with the file permissions in say the windows folder and you =
could
break your system.

2. Encrypt your files. If you have your disk formatted NTFS then you =
can
encrypt files (file properties general Advanced), but if you =
encrypt a
file then I think that only you can read it - which isn't any good if =
you
need to share the file with anyone else.

Hope this helps,

Brian.

www.cryer.co.uk/brian

=20
=20