I apologize if someone has already mentioned this but there is a pretty good
solution for this. PGP is an encryption product and is supported in both the
commercial and open source worlds. There is a commercial version of this
that is designed for the Enterprise that I have used and implented fairly
successfully. The enterprise version at http://www.pgp.com will provide you
with integrated Outlook support providing the ability to sign and encrypt
e-mail, the ability to sign and encrypt files or folders, the ability to
create a mountable encrypted drive.
The biggest issue with encryption was brought up by an earlier poster. What
happens when the person disappears and noone knows his/her password? This is
answered by creating a corporate ADK key. If configured correctly,
everything the user encrypts will also be encrypted by this key and can thus
be recovered in an emergency. This key can and should be split between
multiple people thus requiring multiple people for decryption outside the
users knowledge.
PGP is also widely supported and accepted through out the world.
I hope this helps...
Thanks,
Kevin Black
-----Original Message-----
From: Michael Cox [mailto:mscox42 (at) yahoo (dot) com [email concealed]]
Sent: Friday, January 30, 2004 11:56 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Controlling Admin Access
I'd like to solicit the group's input on the
following.
Domain administrators, by definition, are going to
have complete access to member computers.
Is anyone doing anything to mitigate the potential
risks involved with access to, say, an executive's
computer which could have very sensitive data on it
(mergers and acquisitions, for example)?
One obvious answer is encryption, but I'm curious what
is available in the Windows world as I'm not as
familiar with that.
Even if something like object level auditing was
enabled and the logs sent to a remote host, couldn't
the admin, as a first step, disable this logging?
Please answer both 1) what is possible, and 2) what is
your organization or other organizations you know of
doing about this (if anything).
Many thanks in advance!
Michael
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
CONFIDENTIALITY NOTICE: This message and any included attachments are from
Salinas Valley Memorial Hospital and are intended only for the addressee.
The information contained in this message is confidential and may constitute
inside or non-public information under international, federal, or state
securities laws. Unauthorized forwarding, printing, copying, distribution,
or use of such information is strictly prohibited and may be unlawful. If
you are not the addressee, please promptly delete this message and notify
the sender of the delivery error by e-mail or you may call Salinas Valley
Memorial Healthcare System's Privacy Officer in Salinas, California, U.S.A
at (+1) (831) 755-0755.
------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
I apologize if someone has already mentioned this but there is a pretty good
solution for this. PGP is an encryption product and is supported in both the
commercial and open source worlds. There is a commercial version of this
that is designed for the Enterprise that I have used and implented fairly
successfully. The enterprise version at http://www.pgp.com will provide you
with integrated Outlook support providing the ability to sign and encrypt
e-mail, the ability to sign and encrypt files or folders, the ability to
create a mountable encrypted drive.
The biggest issue with encryption was brought up by an earlier poster. What
happens when the person disappears and noone knows his/her password? This is
answered by creating a corporate ADK key. If configured correctly,
everything the user encrypts will also be encrypted by this key and can thus
be recovered in an emergency. This key can and should be split between
multiple people thus requiring multiple people for decryption outside the
users knowledge.
PGP is also widely supported and accepted through out the world.
I hope this helps...
Thanks,
Kevin Black
-----Original Message-----
From: Michael Cox [mailto:mscox42 (at) yahoo (dot) com [email concealed]]
Sent: Friday, January 30, 2004 11:56 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Controlling Admin Access
I'd like to solicit the group's input on the
following.
Domain administrators, by definition, are going to
have complete access to member computers.
Is anyone doing anything to mitigate the potential
risks involved with access to, say, an executive's
computer which could have very sensitive data on it
(mergers and acquisitions, for example)?
One obvious answer is encryption, but I'm curious what
is available in the Windows world as I'm not as
familiar with that.
Even if something like object level auditing was
enabled and the logs sent to a remote host, couldn't
the admin, as a first step, disable this logging?
Please answer both 1) what is possible, and 2) what is
your organization or other organizations you know of
doing about this (if anything).
Many thanks in advance!
Michael
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
CONFIDENTIALITY NOTICE: This message and any included attachments are from
Salinas Valley Memorial Hospital and are intended only for the addressee.
The information contained in this message is confidential and may constitute
inside or non-public information under international, federal, or state
securities laws. Unauthorized forwarding, printing, copying, distribution,
or use of such information is strictly prohibited and may be unlawful. If
you are not the addressee, please promptly delete this message and notify
the sender of the delivery error by e-mail or you may call Salinas Valley
Memorial Healthcare System's Privacy Officer in Salinas, California, U.S.A
at (+1) (831) 755-0755.
------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040219
------------------------------------------------------------------------
---
[ reply ]