I am looking for means to prevent my Windows administrator from accessing my files. My plan is to cipher my files with EFS. As far as I know administrator can access ciphered files if he has EFS recovery agent role. So I'm worried about the possibility that admin can grant himself recovery agent permissions, steal data and take permissions away. My research shows that in that case my files would have a recovery agent information entry in it's metadata and admin has no means to delete it. So at least I can detect the steel post factum. The potential opportunity to detect steel gives me enough sense of security. Am I right? Please review my deductions.
Asked
Active
Viewed 242 times
-4
-
9Social/human resource problems cannot be solved through technological solutions... – Bart Silverstrim Apr 26 '12 at 17:43
-
Unless you're the owner / a director, you don't own the data on your computer, the company that employes you does, and it's hired this admin to manage its network, and that includes having access to the data on all the computers on the network if they need it to do their job. If you feel this person is being unprofessional, you should address it through your line manager. If you're the owner / a director level employee then you should have the employee removed from their job if you can't trust them. Playing around with encryption is no solution. – Rob Moir Apr 26 '12 at 18:40
3 Answers
7
Your first problem is you have an administrator that you don't trust. This is a human resources issue, and you may need to take it up as such.
Second, you could only "protect" them by placing the files in a volume that's encrypted separate from Windows (encapsulating the data). There are methods to do this and products to do so if you google for it.
BUT
Do you own this material? Or is it company owned? Are you in effect stealing from the company?
And beyond that, this material could still be copied, and the computer could be monitored via keystroke capture and monitored remotely through screen capture/viewer programs, both of which are usually allowed in most countries because in the workplace, your employer owns the computer and the network.
You need to take this up with your employer. The sysadmin has full access to the computer, and the employer owns the resources. Whatever your issue is with the sysadmin you need to work that out without a technology solution.
Bart Silverstrim
- 31,172
- 9
- 67
- 87
2
Nothing would prevent the admin to install keyloggers etc., and you wouldn't even notice, so: No, your assumptions are wrong.
Sven
- 98,649
- 14
- 180
- 226
1
An "untrusted" administrator should be getting his rights revoked. There are tons of other ways to steal data if you have full rights on a server.
Lucas Kauffman
- 16,880
- 9
- 58
- 93
-
1I would wonder why he's untrusted...is this an employee interaction issue? Political? Company problem? – Bart Silverstrim Apr 26 '12 at 17:42