Steven
Thu Sep 22 12:28:30 CDT 2005
They probably need to be local administrators though installation of Windows
security updates can be automated and software installation can be automated
via Group Policy Software Installation for .msi applications that use
Windows Installer. For Windows XP computers users can be added to the
network configuration operators group to allow a user to change networking
and tcp/ip settings without being local administrators.
It is difficult to prevent an administrator from accessing any data on the
computer they are an administrator on. Even if they do not have the proper
ntfs permissions they can always take ownership of a folder to give
themselves the necessary permissions. To avoid that from being easily
detected they could use backup and restore to access the data which would
avoid detection unless auditing had been configured so that the backup and
restore would show in the security log but then an administrator can also
clear the security logs.
The only way to make sure that they do not access files that they should not
is to encrypt the files and enforce the use of strong/complex passwords in
the domain and disable storage of lm hashes on domain computers so that a
local administrator [legitimate or not] is not successful in cracking the
users password. Windows XP Pro workstations can use EFS to encrypt files.
EFS is something that should not be done however without thorough planning
and education of the users and a domain Recovery Agent must be configured.
That would allow "domain" administrators to recover a domain users data and
to prevent a local administrator from configuring his account to be the
local Recovery Agent in order to access EFS files on that computer. There is
no need to make support staff for domain computers to be domain level
administrators. Domain level administrators should never logon to a domain
workstation with their domain administrator credentials other than known
secure admin workstations due to risks of keyboards loggers and such. See
the links below if you are interested in using EFS. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/default.mspx
"WWII" <WWII@discussions.microsoft.com> wrote in message
news:989C9D23-0F18-4F7F-BAEC-7323F4C61459@microsoft.com...
>I am an IT auditor for an internal audit department. Our company uses
>Active
> Directory with Winows 2000 and 2003 servers and XP Pro workstations.
> Currently our IT support personnel have admin access to servers and
> workstations. My question is: Is there a way to allow the IT support
> personnel to do their job while restricting access to user data? The IT
> support
> people need to apply upgrades, install software, etc. We want to allow
> them
> to do this but restrict their access to user data in the Docs & Settings
> folder on the workstations, user directories on the servers, etc.
> Currently
> the IT support people have admin rights on the workstations. Can they do
> their job as a Limited user with proper permissions?
>
> I know this is a long post but i would appreciate any help.
>
> Thanks.
> --
> wweldin
>
> --
> wweldin