Jump to content

Restrict take ownership rights

Guest Gunna

By Guest Gunna
in Techno Babble

 Share

Recommended Posts

Guest Gunna

Guest Gunna

Posted
Posted

I know this is a dumb question but i have to ask. Is there anyway I can

restrict members of a XP desktops local administrator group from taking

ownership of a folder. I have given a group access to a folder on a XP

machine and then taken the local administrators group access to the same

folder away. I want to ensure that local administrators cannot come along

and elevate their own privilleges by taking ownership.

 

The folder holds very sensitive data that adminis are not allowed to access

however they need local admin rights for some other reasons e.g. applying

patches and general admin. Is there another group on these desktops that can

be used for admin purposes like the Server Operators group for servers?

  • Replies 4
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Roger Abell [MVP]

Guest Roger Abell [MVP]

Posted
Posted

"Gunna" <Gunna@discussions.microsoft.com> wrote in message

news:98395013-C538-40FF-9DF4-C4CA427B5C2F@microsoft.com...<span style="color:blue">

>I know this is a dumb question but i have to ask. Is there anyway I can

> restrict members of a XP desktops local administrator group from taking

> ownership of a folder. I have given a group access to a folder on a XP

> machine and then taken the local administrators group access to the same

> folder away. I want to ensure that local administrators cannot come along

> and elevate their own privilleges by taking ownership.

>

> The folder holds very sensitive data that adminis are not allowed to

> access

> however they need local admin rights for some other reasons e.g. applying

> patches and general admin. Is there another group on these desktops that

> can

> be used for admin purposes like the Server Operators group for servers?</span>

 

That is not your solution. If the data is that sensitive and the admins are

not

sufficiently trusted, then find a different place to hold the data or use

rights

management, encryption, or some other means to protect the data.

You may remove the ability of members of the Administrators group to take

ownership, but it is all or none, not something you may selectively remove

for just the one folder. Anyway, removing that right would not prevent them

from getting at the data (consider the backup/restore route).

 

Roger

Guest Milo

Guest Milo

Posted
Posted

use cacls its built in in your Windows

 

For the commands:

technet.microsoft.com/en-us/library/bb490872.aspx

 

"Gunna" <Gunna@discussions.microsoft.com> wrote in message

news:98395013-C538-40FF-9DF4-C4CA427B5C2F@microsoft.com...<span style="color:blue">

> I know this is a dumb question but i have to ask. Is there anyway I can

> restrict members of a XP desktops local administrator group from taking

> ownership of a folder. I have given a group access to a folder on a XP

> machine and then taken the local administrators group access to the same

> folder away. I want to ensure that local administrators cannot come along

> and elevate their own privilleges by taking ownership.

>

> The folder holds very sensitive data that adminis are not allowed to

> access

> however they need local admin rights for some other reasons e.g. applying

> patches and general admin. Is there another group on these desktops that

> can

> be used for admin purposes like the Server Operators group for servers? </span>

Guest Gunna

Guest Gunna

Posted
Posted

Roger,

 

I hear what your saying dont get me wrong. The problem isnt where the data

is held it's the data is generated on this machine. Backup and restore isnt

an issue as the data is not being backed up here. Suonds stupid I know. All

that matter is the data is generated by user who is authorised to log onto

the machine (these are the people who have access to the folder I want to

restrict from local admins), they run an app which generates some data and

then they grab that data and logoff. I need to be sure anyone in local admin

group cannot just take ownership and give themselves access to the folder and

therefore the app. And beofre you ask there is no access control built into

the app otherwise I would use that.

 

"Roger Abell [MVP]" wrote:

<span style="color:blue">

> "Gunna" <Gunna@discussions.microsoft.com> wrote in message

> news:98395013-C538-40FF-9DF4-C4CA427B5C2F@microsoft.com...<span style="color:green">

> >I know this is a dumb question but i have to ask. Is there anyway I can

> > restrict members of a XP desktops local administrator group from taking

> > ownership of a folder. I have given a group access to a folder on a XP

> > machine and then taken the local administrators group access to the same

> > folder away. I want to ensure that local administrators cannot come along

> > and elevate their own privilleges by taking ownership.

> >

> > The folder holds very sensitive data that adminis are not allowed to

> > access

> > however they need local admin rights for some other reasons e.g. applying

> > patches and general admin. Is there another group on these desktops that

> > can

> > be used for admin purposes like the Server Operators group for servers?</span>

>

> That is not your solution. If the data is that sensitive and the admins are

> not

> sufficiently trusted, then find a different place to hold the data or use

> rights

> management, encryption, or some other means to protect the data.

> You may remove the ability of members of the Administrators group to take

> ownership, but it is all or none, not something you may selectively remove

> for just the one folder. Anyway, removing that right would not prevent them

> from getting at the data (consider the backup/restore route).

>

> Roger

>

>

> </span>

Guest Roger Abell [MVP]

Guest Roger Abell [MVP]

Posted
Posted

My response is not changed.

If you could take away take ownership rights for only that folder (you

cannot) the admins could still use the ntbackup back app and then restore

the data somewhere else and look at it.

Your solution is in controlling to where the information is persisted when

it gets stored by the application. The filesystem alone will not meet the

needs you have defined.

 

Roger

 

"Gunna" <Gunna@discussions.microsoft.com> wrote in message

news:A91CF94A-BA30-424E-A2A6-5BE66514B08E@microsoft.com...<span style="color:blue">

> Roger,

>

> I hear what your saying dont get me wrong. The problem isnt where the

> data

> is held it's the data is generated on this machine. Backup and restore

> isnt

> an issue as the data is not being backed up here. Suonds stupid I know.

> All

> that matter is the data is generated by user who is authorised to log onto

> the machine (these are the people who have access to the folder I want to

> restrict from local admins), they run an app which generates some data and

> then they grab that data and logoff. I need to be sure anyone in local

> admin

> group cannot just take ownership and give themselves access to the folder

> and

> therefore the app. And beofre you ask there is no access control built

> into

> the app otherwise I would use that.

>

> "Roger Abell [MVP]" wrote:

><span style="color:green">

>> "Gunna" <Gunna@discussions.microsoft.com> wrote in message

>> news:98395013-C538-40FF-9DF4-C4CA427B5C2F@microsoft.com...<span style="color:darkred">

>> >I know this is a dumb question but i have to ask. Is there anyway I can

>> > restrict members of a XP desktops local administrator group from taking

>> > ownership of a folder. I have given a group access to a folder on a XP

>> > machine and then taken the local administrators group access to the

>> > same

>> > folder away. I want to ensure that local administrators cannot come

>> > along

>> > and elevate their own privilleges by taking ownership.

>> >

>> > The folder holds very sensitive data that adminis are not allowed to

>> > access

>> > however they need local admin rights for some other reasons e.g.

>> > applying

>> > patches and general admin. Is there another group on these desktops

>> > that

>> > can

>> > be used for admin purposes like the Server Operators group for servers?</span>

>>

>> That is not your solution. If the data is that sensitive and the admins

>> are

>> not

>> sufficiently trusted, then find a different place to hold the data or use

>> rights

>> management, encryption, or some other means to protect the data.

>> You may remove the ability of members of the Administrators group to take

>> ownership, but it is all or none, not something you may selectively

>> remove

>> for just the one folder. Anyway, removing that right would not prevent

>> them

>> from getting at the data (consider the backup/restore route).

>>

>> Roger

>>

>>

>> </span></span>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...