Hiding Folders, Trusting Admins
Novell Cool Solutions: Tip
By Jim Henderson
Digg This -
Posted: 15 Jun 2005
An admin recently asked about the following real-world scenario:
"A supervisor wants a folder on a server just for her access only, with no one else able to see anything inside the folder, or the folder itself. I am not sure this can be done. I realize that if it can be done, then it can also be un-done, and someone could look at the files in the folder.>/p>
I am an admin-equivalent user on the network. I created the folder requested by the supervisor, gave the user full rights, and set the IRF to none by unchecking all options. All non-admin users are not able to see the folder. User admin (and all admin-equivalents) still can see the folder and its contents.
I specifically entered the folder's path on the admin user's Rights to Files and Folders tab in ConsoleOne, and unchecked all rights. No change - admins can still see the folder and its contents. I think this is because the user admin has universal rights to everything, so blocking rights this way doesn't work.
Can this request be accomplished? If so, how?"
One of our Forum experts recommended the following TID on setting admin rights:
Another Forum expert took a more philosophical approach to the issue:
"In my opinion, based on my experience in the real world - if the supervisor doesn't trust the admin not to look at the files, he should store them off the server.
The implication here is that he doesn't care if the data is backed up (since his user ID won't be used by the backup software and thus also wouldn't have rights). That being the case, he should put the sensitive data on a local hard drive, diskette, or CD-RW disc and lock it up.
I've always held the opinion that if management doesn't trust their network administrators, then why on Earth are the network administrators network administrators? That is a job that requires trustworthiness, because those running the systems have access to everything about the company.
For some industries, such as banking, there is a requirement around this issue. What you typically see in that case is auditing of file access, as opposed to restriction of rights. That typically satisfies the requirements (note, however, that I'm not expert in the banking industry).
Also, as a network administrator, I had always considered it safest to assume that I didn't know who was watching what I was doing or how they were watching. So, if I am doing something that requires me to look over my shoulder to see if anyone is walking past who might be upset, I probably shouldn't be doing it."
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com