Protect files on NTFS volume from Domain Administrators

listed in answer

Protect files on NTFS volume from Domain Administrators
0 votes, 0.00 avg. rating (0% score)

ANSWER:

I have seen it handled two ways:

  1. Make the IT staff sign something swearing them to Dire Consequences should it ever be revealed that they accessed the file locations in question without explicit authorization from someone authorized to grand such access.
  2. The data is moved to a storage device not accessible by the IT staff.

Both have their problems, of course. The first method is what my prior two jobs at large organizations elected to follow. The reasoning was basically:

Access and Authorization are different things. If they access this data without authorization, they’re in bigbig trouble. Also, these are people who already have access to vast swaths of data for which they’re not authorized, so it’s not a new problem for them. Therefore, we will trust them to keep out and be professional about it.

This is one reason why people in our jobs tend to be subject to background checks.

This was hilighted when someone from HR itself started a work proceeding, and the IT staff was called in to set up the permissions to block that user from the file locations where the proceedings were documented. Even though such proceedings are confidential from IT, we were specifically invited in to set up the right excludes.

That was a case of explicit conflict-of-interest

The second option is typically followed by departments without consultation of IT. 10 years ago this drive to protect data from the all-seeing-eye of the presumed-BOFH caused people to put critical data on their workstation’s drives and share the directories between each other in the department. These days, this could be something as simple has a shared DropBox folder, Microsoft SkyDrive, or something else along those lines (mmmm, exfiltration of company data to unvetted third parties).

But if management has seen the problem and talked to everyone about it, every instance I’ve been involved with or near has come down to, “We trust these people for a reason, just make sure they’re fully aware of the access policies and move on.”

by sysadmin1138 from http://serverfault.com/questions/387660

Related Answers:

Tags: , ,

No Comments »