Deny Domain Admins Access to Folders

Hi everyone,

Great forum you have here, lots of good info!

Is there away to simply exclude domain administrators from accessing files and directories? Example: A human resources folder that should be "For your eyes only" to the human resource people.

I know we should "trust the domain admins... etc, etc." But is there a way to do this. Sure, perhaps they will be able to take ownership but that would certainly generate a unique event in the event log.

Any ideas on how to do this would be greatly appreciated. And if it is a simple process please accept my apologies in advance for my ignorance on this matter.

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

0xFFFFFF

There is a reason they are called "domain administrators". Even if you lock the folder/file with only users/group needing access, admins can take the ownership of an AD object and change the permissions to gain access. In order to generate log entries for events like this, auditing must be enabled and assigned to the protected resource. Admins can disable the auditing to prevent the log entry. So every way you look at it, you are in a hole.

The are two remedies for this situation. You need to come up with a corporate policy about who can access and what in HR network resources. Hire a dependable network admins. You are giving someone access to your critical business data and should do your homework.

ptilsen

While there are conceivable means to truly prevent access, they are generally so counterproductive or costly that they are impractical. However, one can reasonably implement auditing systems that could detect if an administrator accessed files such that said administrator could easily be detected. So while preventing access to files is generally impractical in that type of scenario, logging file access is easy.

If you really want to look at ways to prevent privileged IT administrators from accessing files on systems for which they are responsible, they do exist, but outside of matters involving military or state secrets they are generally impractical and unnecessary. There needs to be some level of trust for certain individuals, and ultimately if they are not trustworthy they're going to be able to do some damage no matter what controls are in place.

For something like human resources specifically, it makes more sense to outsource HR resources to a system not controlled by IT. This would generally be sufficient, though it should go without saying that a privileged individual could often still gain access through various simple means at his or her disposal (install a keylogger, reset password via email, etc.).

paul78

Welcome to TE.

The most cost-effective method to prevent domain admins from accessing confidential material on a network share is to deploy a network share encryption mechanism. It could be as simple as using Winzip archives where the password is only known to the privileged users or using open-source tools like TrueCrypt - TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux

This method will still give you the benefit of file sharing, file replication, backups. While maintaining confidentiality to the correct folks.

There are commercial solutions as well - check out Symantec - Encrypt Files: Folder & Server Encryption | Symantec and there are other vendors with similar such as McAfee, Entrust, etc.

I haven't looked into the access mechanims of Windows EFS - but that could a be possibility as well.

Depending on the size of the organization that you are supporting and the number of locations - TrueCrypt may suffice.

drkat

We had an IT Policy where you had an "admin" account and a DA account, if you logged into the DA account it sent a netmsg to the directors etc, and you had to sign out the DA account for X amount of time and auditing was configured. IT Policy is the best way to go

netsysllc

I would agree that polices and auditing is the correct way to go here. There needs to be some level of trust with the IT staff. Not to mention if you use a third party encryption then there is a possibility the files could be lost and not recoverable which is not acceptable.

paul78

netsysllc wrote: »

There needs to be some level of trust with the IT staff.

Unfortunately, this is not always about trust. There is data that sometimes are strictly not for all eyes. And leakage of that data couldn't cause irreparable harm to the business. For example, a pending merger or sales, HR information such as layoffs, personally identifiable information, etc. etc.

higherho

paul78 wrote: »

Unfortunately, this is not always about trust. There is data that sometimes are strictly not for all eyes. And leakage of that data couldn't cause irreparable harm to the business. For example, a pending merger or sales, HR information such as layoffs, personally identifiable information, etc. etc.

This is true, but in a lot of cases the company should have NDA's and memorandums for their administrators to sign. This way they are held accountable for their actions and still administer the network.

You can lock this stuff down so that domain admins cannot look into the file. I do like the idea of encrypting the files but what happens if the individual forgets the password, etc? Disaster recovery plans need to be made and policy structure.

sratakhin

Why not just keep those sensitive files on a USB drive?

cyberguypr

Even better, a floppy disk. HA!

sratakhin

Why not? It's got the write protection switch so the files will be protected from the evil admin

pizzaboy

lol that's funny

blargoe

HR managing their own encryption works until someone forgets their password, leaves the company, etc. If using freebie tools, that will happen sooner or later. If using something like EFS in Windows, that's still a risk unless an enterprise PKI is set up with recovery agents, etc, but then you're giving the domain admin the control again.

The only other thing I could think of is to give the HR folks their own domain or a standalone server that is not managed by the domain, and make them in charge of backing everything up, etc. When IS support is required, give them the admin password and change it after the support request is fulfilled.

IMO, I agree with the others above, auditing, and not allowing domain admins to generally log in with their DA credentials is a good way to go. Really, you should have very, very few domain admins anyway. If you are not managing group policy or adding/removing domain controllers, you don't need to be using a DA account.