|
Posted by Roger Abell [MVP] on September 4, 2008, 9:19 pm
If you were Registered and logged in, you could reply and use other advanced thread options
My response is not changed.
If you could take away take ownership rights for only that folder (you
cannot) the admins could still use the ntbackup back app and then restore
the data somewhere else and look at it.
Your solution is in controlling to where the information is persisted when
it gets stored by the application. The filesystem alone will not meet the
needs you have defined.
Roger
> Roger,
>
> I hear what your saying dont get me wrong. The problem isnt where the
> data
> is held it's the data is generated on this machine. Backup and restore
> isnt
> an issue as the data is not being backed up here. Suonds stupid I know.
> All
> that matter is the data is generated by user who is authorised to log onto
> the machine (these are the people who have access to the folder I want to
> restrict from local admins), they run an app which generates some data and
> then they grab that data and logoff. I need to be sure anyone in local
> admin
> group cannot just take ownership and give themselves access to the folder
> and
> therefore the app. And beofre you ask there is no access control built
> into
> the app otherwise I would use that.
>
> "Roger Abell [MVP]" wrote:
>
>> >I know this is a dumb question but i have to ask. Is there anyway I can
>> > restrict members of a XP desktops local administrator group from taking
>> > ownership of a folder. I have given a group access to a folder on a XP
>> > machine and then taken the local administrators group access to the
>> > same
>> > folder away. I want to ensure that local administrators cannot come
>> > along
>> > and elevate their own privilleges by taking ownership.
>> >
>> > The folder holds very sensitive data that adminis are not allowed to
>> > access
>> > however they need local admin rights for some other reasons e.g.
>> > applying
>> > patches and general admin. Is there another group on these desktops
>> > that
>> > can
>> > be used for admin purposes like the Server Operators group for servers?
>>
>> That is not your solution. If the data is that sensitive and the admins
>> are
>> not
>> sufficiently trusted, then find a different place to hold the data or use
>> rights
>> management, encryption, or some other means to protect the data.
>> You may remove the ability of members of the Administrators group to take
>> ownership, but it is all or none, not something you may selectively
>> remove
>> for just the one folder. Anyway, removing that right would not prevent
>> them
>> from getting at the data (consider the backup/restore route).
>>
>> Roger
>>
>>
>>
| 
XML site map