Re: Co-Administrator


"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:eNEFwGaQIHA.536@xxxxxxxxxxxxxxxxxxxxxxx
tatat wrote:
Using the built in Encrypting File System (EFS) it's possible to
restrict access to the point that administrators cannot read the
files without the proper account password. Learning curve is a bit
steep. Practice on a workstation until you get the hang of it.


Leaks like a seive. All the admin (or anyone else) needs is one of the
encrypting certs or the recovery cert. Oh, and the admin is also the
Certificate Authority Manager, so exporting any cert issued by it is
trivial.

Not that it's not possible, just that using built in CA still has the
Domain Admin still in control (by default).



Best practices for the Encrypting File System:

http://support.microsoft.com/kb/223316



"Charles" <Charles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:07ECA812-C39E-4A01-83B2-9A864524AB34@xxxxxxxxxxxxxxxx
Hi,

I would like to grant admin rights with a young colleague so that he
can help me with all the IT stuff. Problem: there are certain shared
folder containing sensitive info that he cannot access now -- and I
would like it to
stay that way. Is there a simple way to give him enough rights to do
the IT
admin work, while keeping him from given shared folders?

So far this is what has kept me from granting him admin rights, so
any help
appreciated;

Charles

--
/kj

Leaks like a sieve only if implemented incorrectly hence my comment about
the learning curve. Documentation is readily available. A couple of
necessary steps are the designation of a data recovery agent with the EFS
certificate/key exported to a removable device, same with the EFS
certificate/key of the administrator account. Then delete them from the
server.

The EFS encrypted files are no longer readable by the Administrator or data
recovery agent accounts until the certificate/key is re-imported (marked as
not exportable for an extra layer of security, then deleted at the end of a
recovery session)

If you know of a way to bypass the security built in to EFS when used as
documented please post here. I would like to test it.


.

Relevant Pages

  • Re: Keep admins off of client machines
    ... the sharepoint admin is simple, just create a standard user account for them ... The 'Domain Administrator' account is ... Domain Administrator password. ... takes a thorough understanding of such priveleges to do so. ...
    (microsoft.public.windows.server.sbs)
  • Re: firewall on budget ?
    ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: XP (SP2) user passwords
    ... Safe Mode requires an administrator to log on the machine. ... I always suggest checking who has Admin accounts, ... administrator account, which normally does not appear, and in SP2, I don't ...
    (microsoft.public.windows.mediacenter)
  • Re: Could this be an XP problem?
    ... >> This means you have admin access under jlunis login. ... This is one way to get in as admin in XP home. ... >> tab) then type in administrator as username and blank password. ... administrator account. ...
    (microsoft.public.windowsxp.general)
  • Re: EFS recovery problem
    ... > groups *should* _not_ effect efs. ... >>A recovery agent will only be of use if it was set up before ... >>and since changing the group memberships of an account should ... Log out of Admin, ...
    (microsoft.public.windowsxp.security_admin)