Possible Duplicate:
protecting my files from root


I am looking for a solution to allow storing files with sensitive information on a remote server in such way that system administrators could not access the data.

In the first case the server would host an application working with the sensitive data, so users should use RDP to run it. In the second case users only need to access their shared folders.

I would prefer the server to remain within our AD infrastructure for the convenience of maintenance, etc. So admins could log in to the server, do anything but access the sensitive information (they may know about its presence though).

The solution I thought of is using TrueCrypt on a Windows 2003 terminal server, but when encrypted volumes are mounted they behave just like normal Windows volumes - meaning, admins have access to them.

I also thought of putting the server out of domain into a workgroup - then I can set up local user accounts and manage permissions accordingly. This, however, would add some complications in terms of maintenance.

I would appreciate your advice.

  • 119
  • 4
  • 15

5 Answers5


This cannot be done, in any true meaning anyway.

If you don't trust the administrators you're out of options - there's always a way for them to get to the data in the described scenarios as they control your hardware (client and/or server) and your infrastructure.

Regulate access through written policy.

Oskar Duveborn
  • 10,740
  • 3
  • 32
  • 48
  • 4
    +1 - If you don't trust your admins, find new ones. – Kevin Garber Nov 11 '09 at 15:03
  • Well, let's say I can trust one of the admins - someone has to set it up :) What are the options to keep other admins from accessing the data? – kdl Nov 11 '09 at 15:07
  • 2
    A bunch of well-formulated words on some pieces of paper with their signatures on it? – Oskar Duveborn Nov 11 '09 at 15:16
  • 1
    If you trust ONE admin, give him more privileges than the others, then you only have to trust HIM, and not the rest. It's always a good idea to restrict true admin access down to the fewest number of people. – Satanicpuppy Nov 11 '09 at 15:58
  • +1 for Kevin and .. puppy. Also: Make your admins sign NDA's. – pauska Nov 11 '09 at 16:02

Admin's need access to data. Even if for nothing else than backup and restore. What you need to do is trust your admins a certain amount, and make the consequences for abusing that trust high and definite. As an admin you have a lot of power and access, your trustworthiness is one of your job's requirements, gross misconduct/suspension/dismissal type charges are wholly justified for abusing the trust placed in you.

For our servers that we have this kind of scenario on rather than totally restricting the folders, the permissions (for the server admins) are set the same as other, equivalent servers, so that the admins can still get their job done when needed. What we do is audit and log everything that happens on that server, and make that log available to the users/person responsible for the data.

Need to go on that server's console? Do you really? Can you justify it to the data-owner? Fine then go one there.

Need to modify files in one of the data directories? Do you really? Can you justify it to the data-owner? Fine then go ahead and make the changes.

There's an emergency that means that you need to get on the server and make changes at 2am? No problem you have the necessary access, just realise that your actions will be scrutinised in the morning.

Of course auditing and logging is only really effective if there's accountability and identifiability. You need to ban the use of all generic admin accounts and have issued each admin with a personalised account with the relevant permissions needed for their job to them (something like Admin_BloggJ or John.Doe.Admin).

We use a piece of software called LT Auditor to create the audit logs, and have it set to print out the reports daily. We have users that pore through that religiously and take glee in spotting any unusual access and reporting it. This is a big deterrent!

  • 2,424
  • 3
  • 20
  • 38
  • -1. Factually wrong. This issue has been solved a long time ago on ystems like windows. C2 security explicitly includes securing the files dfrom admins. Backups work through epcial interfaces for software that is not allowing view of the data content. Admins do not need access to data holding areas for most of their job. There are many legal areas where this is a requirement and some operating systems that implement those features. – TomTom Jan 27 '12 at 15:24
  • @TomTom We obviously have different understandings of my writing and what C2 is. I'm aware that backups generally use features like System accounts, shadow copies, etc. Backups was an example that people are familiar with. C2 access (and filesystems like NTFS) use an Ownership mechanism for data. Administrators can always use taking Ownership as a way to re-permission and gain access to files; you want accountability, auditing and trust to prevent any problems with that. C2 specifically talks about accountability (using named, non-generic admin accounts) and auditing as a way to notify owners – GAThrawn Jan 31 '12 at 14:12
  • Taking ownership entails... deleting the current security context of a file AND LEAVING AN ADMIN TRAIL. Important: Admins can not ASIGN ownership back. The trick here is that "take ownership without needing the file and having approoval" is a firing level offense in some busniesses (criminal actually in some) and the admin can not hide it. – TomTom Jan 31 '12 at 14:25
  • @TomTom re-read what I've said, that's exactly the auditability and accountability that I'm talking about, and making it a firing type offence is mentioned in my first paragraph. – GAThrawn Jan 31 '12 at 14:49

My quest in the field of computers will end when I find an answer to this question!

I am afraid that this is not possible with the current implementations.

Born To Ride
  • 1,074
  • 6
  • 10

I was going to say that for your second case, if the files on the share are encrypted it would be hard for the admins to get access. But even then, they could just install a keylogger to find the password. So Oskar's answer stands: policy is the only option.

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59

Easiest is to archive data with the long strong password. But that will only buy you some time...

  • 458
  • 3
  • 11