Log access or prevent access to private/confidential information.

You can audit the file but again you have to remember to look or get =
your admins to automatically write a program to look for you. But this =
will not add anything (except make working with the file fractionally =
slower) as you can check the owner to see what admin took ownership from =
you.

You can't give ownership but can give permissions - so even if an admin =
looks he can allow you to access the file normally. you must check =
ownership (r/c file - Properties - Security - Advanced - Owner).=20

--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"David Candy" . wrote in message =
...
Well it's like that now. He can't access the files secretly. On domains =
admins don't get permissions to users accounts. Therefore he has to use =
special admin powers, but he has to take ownership away from you to do =
so. You cannot give ownership only take it (so s/he can't set it back). =
Likewise with passwords, admins can reset but not know what it was so =
they can't set it the same.

Admins are accountable.=20

But windows security only works when it is running. Therefore physical =
security is essential. Encryption is for computers where physical =
security cannot be assured (like with laptops). I lock servers in =
cupboards as the most likely threat is theft of the computer (if you =
really want some data it is best to steal the computer). But encryption =
requires plenty of thought from your admins. There are lots of posts =
here of people forever losing data by encryption.

If he ran a physical network sniffer nothing can stop him. However only =
admins can install a computer program sniffer (but there are things one =
can do).

I'm uncertain if your admin is the biggest or smallest security flaw. =
While he should be sacked least you know who the enemy is, and he CAN'T =
betray your trust (as you have none in him). More dangerous is someone =
you trust.

The traditional way to steal secrets is to turn someone if you don't =
have physical access by some nice man offering compliements, then large =
cash gifts, untill you are compromised. With physical access they will =
go through your rubbish (at home and work) to look for password/username =
hints.

I'd bring these issues out into the open as you should not be setting =
security policy and if you can't trust the admins too ...
--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Robin Tucker" wrote in message =
...
Listen, no I'm not trying to hack anything! If I were, my question =
would=20
be, "how can I gain access to xyz", not "how can I prevent access to =
xyz".
=20
Also consider that on our system, we do not have such "anal" control. =
Our 2=20
System administrators are there to secure our firewall, audit software =

installed and ensure all users have up to date anti-virus. Their main =
task=20
is providing network and application support. However, one of these =
people=20
used to run a "packet sniffer" on the network (before we moved over to =

switches) in order to snoop on other peoples email. This, I might =
add, was=20
before he was an administrator (he admitted it in the pub one evening =
so I=20
have been told).
=20
Now, I do not feel comfortable with any information on my system, some =
of=20
which YES may be personal, being accessible by this "snoop". Company =
policy=20
does not dictate he audit my machine for anything other than software=20
installed that should not be. So, I want to secure my "Documents and=20
Settings", which may contain among other things, email correspondance=20
between myself and my managers or other collegues and some =
confidential=20
documents.
=20
I am mainly interested in preventing casual snooping on my system. I =
have=20
no interest in locking the administrators out completely.
=20
=20
"David Candy" . wrote in message=20
...
It would be where I live (one cannot change a single byte on a =
computer=20
without permission or 5 years goal). Why do you want to ask people who =
don't=20
know rather than the experts in your company? You can't stop an admin. =

That's the whole purpose of admins. But nor can the admin do it =
secretly.=20
One suggestion you have been given I would sack you on the spot as it=20
threatens the survival of the company.
=20
Sure you aren't trying to hack into these files.
=20
--=20
=
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Robin Tucker" wrote in message=20
...

"To take action without their approval could be a criminal offense."


Please, this is completely incorrect. It may be against company =
policy=20
(in
some companies), but it is certainly not illegal. Are you a member =
of the
administrators trades union or something?




=
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Robin Tucker" wrote in message
...
Yes, it is company property. No, I am not asking that MY PERSONAL
INFORMATION be locked down. The administrators should not have the =
right
to
view any/all information, some of which is potentially confidential =
such
as,
for example, Personel Records. No I am not a n00b sitting in a =
cubicle
passing wind every 30 seconds. I am genuiunely asking this =
question, for
the purposes of security of personal information. How can we allow
administration of a network/domain, but protect information from =
prying
eyes, be they administrators or not.

Thankyou.



"Galen" wrote in message
...
In ,
Robin Tucker had this to say:

My reply is at the bottom of your sent message:

Hi,

I would like to be able to log access to my folders from the =
network.
That is, I want to know when an administrator has accessed my =
drive. I
have private/confidential information on my PC and do not want
administrators to be able to access it, unless I give explicit
permission. How can I achieve this?

Thanks,


Robin.

As has been mentioned by David Candy, ask them. If you have, as it=20
seems,
administrators then the implication is that the PC doesn't belong =
to=20
you.
Private/confidential information should not really be kept on =
property
not
belonging to you and the company has a right (and perhaps and=20
obligation)
to monitor the contents of their property. Given that they're the =
admins
and likely able to access your account at any time (and probably =
have
rules regarding third party software installations) your best bet =
would
be
to accept that anything you put on the work computer belongs, by=20
default,
to the company or at least gives them rights to access it with or=20
without
your consent.

Your personal computing should probably be done at home -- if you =
want=20
to
keep your job. More and more companies, for various reasons, are=20
starting
to not only monitor internet access but files on their PCs. With =
the
increase in various regulations (Sarbox, HIPPA, etc) it's in your =
best
interest to really keep your personal, private, and confidential =
data on
a
system that you are the only administrator of. Note that this is =
mostly=20
a
U.S. thing though the EU and surely other countries have similar
policies.

Galen
--=20

"You know that a conjurer gets no credit when once he has explained =
his
trick; and if I show you too much of my method of working, you will
come to the conclusion that I am a very ordinary individual after =
all."

Sherlock Holmes




=20
=20

"David Candy" . wrote in message
...
You can audit the file but again you have to remember to look or get your
admins to automatically write a program to look for you. But this will not
add anything (except make working with the file fractionally slower) as you
can check the owner to see what admin took ownership from you.

You can't give ownership but can give permissions - so even if an admin
looks he can allow you to access the file normally. you must check ownership
(r/c file - Properties - Security - Advanced - Owner).

--
--------------------------------------------------------------------------------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html

Just checked, Admins can grant ownership - at least they can on a Windows
2003 domain.

Brian.

--
www.cryer.co.uk/brian

Type sc in help.

--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Brian Cryer" wrote in message =
...
"David Candy" . wrote in message=20
...
You can audit the file but again you have to remember to look or get =
your=20
admins to automatically write a program to look for you. But this will =
not=20
add anything (except make working with the file fractionally slower) =
as you=20
can check the owner to see what admin took ownership from you.
=20
You can't give ownership but can give permissions - so even if an =
admin=20
looks he can allow you to access the file normally. you must check =
ownership=20
(r/c file - Properties - Security - Advanced - Owner).
=20
--=20
=
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=20
Just checked, Admins can grant ownership - at least they can on a =
Windows=20
2003 domain.
=20
Brian.
=20
--=20
www.cryer.co.uk/brian
=20

That was meant for another thread.

--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Brian Cryer" wrote in message =
...
"David Candy" . wrote in message=20
...
You can audit the file but again you have to remember to look or get =
your=20
admins to automatically write a program to look for you. But this will =
not=20
add anything (except make working with the file fractionally slower) =
as you=20
can check the owner to see what admin took ownership from you.
=20
You can't give ownership but can give permissions - so even if an =
admin=20
looks he can allow you to access the file normally. you must check =
ownership=20
(r/c file - Properties - Security - Advanced - Owner).
=20
--=20
=
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=20
Just checked, Admins can grant ownership - at least they can on a =
Windows=20
2003 domain.
=20
Brian.
=20
--=20
www.cryer.co.uk/brian
=20

"David Candy" . wrote in message
...
That was meant for another thread.

--
--------------------------------------------------------------------------------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=================================================

Your newsgroup client should let you delete messages.

Brian.

--
www.cryer.co.uk/brian

It only works 5% of the time (and as it's time consuming to check I =
haven't been able to cancel for a year since I canceled some MS =
emplotees posts so I suspect it's now 0%), assuming it's still =
supported. Remember you are only getting a copy on usenet of this =
microsoft owned peer support group.

--=20
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
"Brian Cryer" wrote in message =
...
=20
"David Candy" . wrote in message=20
...
That was meant for another thread.
=20
--=20
=
-------------------------------------------------------------------------=
-------------------------
http://webdiary.smh.com.au/archives/...nt/001075.html
=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D
=20
Your newsgroup client should let you delete messages.
=20
Brian.
=20
--=20
www.cryer.co.uk/brian
=20