1

I am running a users file share on Windows 2008R2.

My concern is Domain Admins accessing someone's files they shouldn't.

I have turned on advanced auditing and tested the results. I see when someone does anything in the folder, read/delete with the offenders userid's but it comes across as Event ID 5145.When the real user accesses their own folder, it also comes over as Event ID 5145.

My place of work has over 4000 users so the option of alerting everytime someone uses their own files is not an option. I can't only trigger on failure since domain admins will have rights to access the files.

Placing "user's only" instead of users and admins is not an option since our backup's won't be able to read the data.

Anyone have any suggestions?

gideon
  • 1,145
  • 2
  • 13
  • 28
Stephen
  • 11
  • 1
  • 1
    Just for the record, if you don't trust these people they really shouldn't be domain admins (or ***ANY*** kind of admin). All the auditing/logging/alerting in the world isn't going to help you: By the time you see the event the damage is done and the information leaked. – voretaq7 Mar 13 '12 at 18:55

2 Answers2

3

We have a separate central logging appliance from LogLogic that we forward all of our system logs to. This in turn allows us greater granularity of how and when we alert. I'd recommend using a solution like that if you have one.

Tatas
  • 2,081
  • 1
  • 13
  • 19
0

See voretaq7's comment. You really have to trust them. However, it is not unreasonable to verify what they are doing and their need for access.

We go one step further. We have defined our share access (really NTFS, not share-level perms) so that Domain Admins do not have explicit read access to most shares. We created a Mgmt Security group for this that is normally empty. Of course, Domain Admins can add themselves to this group, so the network manager gets an alert every time this group membership changes.

In the event of a Share issue, Domain Admins always have the right to claim Ownership of any files due to their rights.

Event logging is being deployed now and we also are working to severely limit the number of people in our Domain Admin group by deploying an AD Mgmt tool (Active Roles Server from Quest).

uSlackr
  • 6,412
  • 21
  • 37
  • I like the idea of removing DA's from the access by replacing them with a new security group, then alerting on joining of that group. I will try this and see if i get the desired results. Its not that I don't trust our employee's, I need to be able to track access for an audit requirement. – Stephen Mar 13 '12 at 20:24
  • Agreed. It's the auditing - not the trusting. – uSlackr Mar 13 '12 at 21:00