Protect files on NTFS volume from Domain Administrators

Solution 1:

First off, you have to trust your admins. If you don't, they shouldn't have this job or these privileges. The company trusts the finance or HR person that has access to this data, so why not the IT staff? Remind them that the admins have the ability to trash the production environment everyday, yet choose not to. It is important that management sees this issue clearly.

Next, as @sysadmin1138 says, remind admins that access does NOT equal permission.

That said, we do not grant domain admins access to file shares by default. They are removed and in their place three ACL groups (Read, Write, Admin) for each shares NTFS permissions. No one is in the ACL Admin group by default and membership to those groups is monitored.

Yes, domain admins can take ownership of those files, but it leaves a trail. Audit is important. Ronald Reagan called this "trust, but verify". People should know you are checking.

Finally, start removing people from domain admins. AD permissions are too easy to granularize today. no reason to not to do so. Give people admin access to the servers or services they manage, not everything.

Solution 2:

I have seen it handled two ways:

  1. Make the IT staff sign something swearing them to Dire Consequences should it ever be revealed that they accessed the file locations in question without explicit authorization from someone authorized to grand such access.
  2. The data is moved to a storage device not accessible by the IT staff.

Both have their problems, of course. The first method is what my prior two jobs at large organizations elected to follow. The reasoning was basically:

Access and Authorization are different things. If they access this data without authorization, they're in bigbig trouble. Also, these are people who already have access to vast swaths of data for which they're not authorized, so it's not a new problem for them. Therefore, we will trust them to keep out and be professional about it.

This is one reason why people in our jobs tend to be subject to background checks.

This was hilighted when someone from HR itself started a work proceeding, and the IT staff was called in to set up the permissions to block that user from the file locations where the proceedings were documented. Even though such proceedings are confidential from IT, we were specifically invited in to set up the right excludes.

That was a case of explicit conflict-of-interest

The second option is typically followed by departments without consultation of IT. 10 years ago this drive to protect data from the all-seeing-eye of the presumed-BOFH caused people to put critical data on their workstation's drives and share the directories between each other in the department. These days, this could be something as simple has a shared DropBox folder, Microsoft SkyDrive, or something else along those lines (mmmm, exfiltration of company data to unvetted third parties).

But if management has seen the problem and talked to everyone about it, every instance I've been involved with or near has come down to, "We trust these people for a reason, just make sure they're fully aware of the access policies and move on."

Solution 3:

I have five potential solutions, four of which are technical.

(1) Create an AD Forest and another domain specific to privileged information. Repeat as needed to cover specific communities of interest. This will add a new role above the domain admins - enterprise admins that can be further segregated and even subdivided.

Pros:

  • Easy
  • Limits roles
  • Can better enable AD structure to emulate organizational structure

Cons:

  • Slight complexity
  • Still have a super powered admin, just less of them.

(2) Create a stand alone server with no trust relationship apart from individual users

Pros:

  • Easy
  • Limits roles

Cons:

  • Slight complexity
  • Will have one admin controlling it
  • Maintenance

(3) Procure one of the different network vault types of products, example being Cyber-Ark. These products are specifically designed for the use-case you are discussing.

Pros:

  • More enterprise oriented
  • Can be very user friendly

Cons:

  • Cost
  • Still have some super admins likely for the vault.

(4) Place all information inside databases, then use strong encryption to encrypt all database content, or use a full disk encryption product to better control the filesystem access along with (1) and/or (2) above. Augment this with a policy to disallow cleartext removal of database content and require reports to stay within the database. The encryption product can include strong encryption modules such as FIPS 140-2, and can be a physical device too, such as a hardware security module (HSM).

Pros:

  • Can achieve military levels of security
  • Best fits your needs for tape and disk protection
  • Greater information protection in case you get hacked

Cons:

  • Less flexible
  • Impacts user activities significantly!
  • Requires a crypto role or security person

(5) Security Control Compensation - beef up your personnel security controls such as adding insurance against a breach of information, adding certain two-person requirements (can be done many different ways), another role (security admin), or more background checking. More creative options would be including a golden parachute that would kick-in after departure from the company with no breach of information a year after resignation/firing, or more attention given to keeping the admins happy in general via some special perks with ties to these personnel requirements.

Pros:

  • May best address the problem of the insider issue
  • Incentivizes good behavior
  • Can enhance the company's relationship with key administrators
  • Can lengthen personnel tenures with the company if done right

Cons:

  • So many options for doing this
  • Cost

Solution 4:

Once someone has administrative rights all bets are off as far as the security goes. This is exactly why administrators need such a high level of trust - there are always ways around any kind of blocks that can be put in place.

All you can really do is separate duties and set up a checks and balances system.

For example, you could use a secondary logging system (like Splunk or a Linux syslog server) that only your president / whoever has access to and configure file auditing for your secure directories.

Remove the administrators from the ACLs and forward changes to the ACL to the log server. It won't stop the event from happening but you will have a definite log of who changed the permissions when and how.

The more of these blocks you put in place the more likely you are to have someone stumble on one of them.

Solution 5:

You should be aware that a person with that level of privilege can access data on Windows file shares regardless of the security permissions of the files/folders. This is due to the privileges that can be conferred in Windows when the "Backup Files and Directories" right is available.

With that right, someone can simply backup the files, and restore them to another location. And for extra credit, they could do it as a scheduled task running as system so it would be less than obvious during an audit. If that were not an option, they may have access to the backup system, and could restore the data from there to a location that may not be audited.

Without EFS, you may not be able to rely on the file system to guarantee confidentiality, permissions, auditing, or otherwise.

The SkyDrive option that sysadmin1138 sounded good to me for documents. The amount of documents that are truly sensitive are usually quite small, and SkyDrive gives you 7 GB for free (2GB file max). For an accounting system, that data should be protected in a real database by some level of encryption, and authentication that would not allow a Windows administrator access.