Re: Keep admins off of client machines

---

• From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
• Date: Fri, 30 Dec 2005 16:50:21 +1100

---

though I agree with the argument here (see my other contribution to the
thread), and particularly that 'sensitive information' should be on the
server rather than the workstation, I must point out that if it is on the
server, and you wish it to be backed up, then 'god' (note, no caps) will
have access to it anyway.

Matter of fact, 'nother point, log onto the server as a domain admin and
from start/run type in \\workstation_name\c$, that admin doesn't need to
visit each workstation to compromise data on them.

"Leythos" <void@xxxxxxxxxxx> wrote in message
news:oj3tf.91824$lh.2192@xxxxxxxxxxxxxxxxxxxxxxxxx
> In article <urp8i3PDGHA.812@xxxxxxxxxxxxxxxxxxxx>,
> nickmirro@xxxxxxxxxxxxxx says...
>> We have an SBS admin, a Sharepoint admin and 2 others who go between our
>> SBS
>> and local Linux server. Those helping administer the servers should not
>> have access to client machines as they contain patient records,
>> proprietary
>> applications, etc. How can we prevent transient adminstrators with admin
>> status from logging onto client machines (unless essential) since those
>> machines contain sensitive data?
>
> And admin should be trusted enough to have access to those machines, and
> the local machines SHOULD NOT have patient records on them - those
> records belong on a Server in a Database of some type, with NO LOCAL
> FILE's on the workstations.
>
> If you don't trust your Admin's, fire them and get ones you do trust.
>
> While you can block and admin, you can't keep them out, that's why they
> are admins.
>
> --
>
> spam999free@xxxxxxxxxx
> remove 999 in order to email me


.

---

• References:
  • Keep admins off of client machines
    • From: Nick

• Prev by Date: Re: Can't change security policy
• Next by Date: Re: Keep admins off of client machines
• Previous by thread: Re: Keep admins off of client machines
• Next by thread: Re: Keep admins off of client machines
• Index(es):
  • Date
  • Thread

---

Relevant Pages fileshare access by machines on LAN but not joined to domain ... The SBS box is to be a fileserver to machines on the LAN (which are ... In addition to the admin account on the server, ... My initial attempt at creating and sharing files to mobile user accounts was ... Admin, and created the share using the Server Management "Manage Shared ... (microsoft.public.windows.server.sbs) Re: Secure host newbie - fun - humm ... decision, as the admin, whether or not to take down the server. ... Listen, as a security specialist, I *know* that every single box that I, ... some level of risk and that there is no "100% I'm secure" level. ... (Security-Basics) Re: Server Operator Role ... domain admin and then keep in mind that a domain admin can get Enterprise Admin ... Joe Richards Microsoft MVP Windows Server Directory Services ... The server operator role allows ... the group cannot run the TS Policy. ... (microsoft.public.win2000.active_directory) Re: Two Server Setup Question. ... That external trust factor thing ... get your admin domain up first. ... Microsoft Certified Trainer, Microsoft MVP - Windows ... Microsoft Windows & SQL Server Advisory Panel Member ... (microsoft.public.windows.server.setup) Re: Two Server Setup Question. ... That external trust factor ... get your admin domain up first. ... Microsoft Certified Trainer, Microsoft MVP - Windows ... Microsoft Windows & SQL Server Advisory Panel Member ... (microsoft.public.windows.server.setup)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)