We're a small company with a 2008R2 domain on which we have a file server with several shared volumes. We have a number of IT staff in the domain administrators role, because effectively we're all on call 24x7. However, it has recently become an issue of company policy that there are certain folders or files (salary data, performance reviews, accounting info) that should be confidential, including from IT staff. This also includes the data on backups (tape and disk).
Things that have occurred to us so far:
*EFS - but we'd have to set up a PKI, which is a bit overkill for our company size
*TrueCrypt - but this kills concurrent access and search-ability
*Remove Domain Admins from the ACLs - but this is extremely easy (one click) to bypass
*Dropping use of the Domain Admins group, and delegating permissions more explicitly - but again this is a bit overkill, and we want to reduce the need for shared accounts (e.g., MYDOMAIN\Administrator) as possible for audit reasons
I'm sure this is not a novel problem, and am curious how other people with this sort of requirement have handled it? Are there any options that we haven't already considered?
Thanks!
I have seen it handled two ways:
Both have their problems, of course. The first method is what my prior two jobs at large organizations elected to follow. The reasoning was basically:
This is one reason why people in our jobs tend to be subject to background checks.
This was hilighted when someone from HR itself started a work proceeding, and the IT staff was called in to set up the permissions to block that user from the file locations where the proceedings were documented. Even though such proceedings are confidential from IT, we were specifically invited in to set up the right excludes.
That was a case of explicit conflict-of-interest
The second option is typically followed by departments without consultation of IT. 10 years ago this drive to protect data from the all-seeing-eye of the presumed-BOFH caused people to put critical data on their workstation's drives and share the directories between each other in the department. These days, this could be something as simple has a shared DropBox folder, Microsoft SkyDrive, or something else along those lines (mmmm, exfiltration of company data to unvetted third parties).
But if management has seen the problem and talked to everyone about it, every instance I've been involved with or near has come down to, "We trust these people for a reason, just make sure they're fully aware of the access policies and move on."
First off, you have to trust your admins. If you don't, they shouldn't have this job or these privileges. The company trusts the finance or HR person that has access to this data, so why not the IT staff? Remind them that the admins have the ability to trash the production environment everyday, yet choose not to. It is important that management sees this issue clearly.
Next, as @sysadmin1138 says, remind admins that access does NOT equal permission.
That said, we do not grant domain admins access to file shares by default. They are removed and in their place three ACL groups (Read, Write, Admin) for each shares NTFS permissions. No one is in the ACL Admin group by default and membership to those groups is monitored.
Yes, domain admins can take ownership of those files, but it leaves a trail. Audit is important. Ronald Reagan called this "trust, but verify". People should know you are checking.
Finally, start removing people from domain admins. AD permissions are too easy to granularize today. no reason to not to do so. Give people admin access to the servers or services they manage, not everything.
I have five potential solutions, four of which are technical.
(1) Create an AD Forest and another domain specific to privileged information. Repeat as needed to cover specific communities of interest. This will add a new role above the domain admins - enterprise admins that can be further segregated and even subdivided.
Pros:
Cons:
(2) Create a stand alone server with no trust relationship apart from individual users
Pros:
Cons:
(3) Procure one of the different network vault types of products, example being Cyber-Ark. These products are specifically designed for the use-case you are discussing.
Pros:
Cons:
(4) Place all information inside databases, then use strong encryption to encrypt all database content, or use a full disk encryption product to better control the filesystem access along with (1) and/or (2) above. Augment this with a policy to disallow cleartext removal of database content and require reports to stay within the database. The encryption product can include strong encryption modules such as FIPS 140-2, and can be a physical device too, such as a hardware security module (HSM).
Pros:
Cons:
(5) Security Control Compensation - beef up your personnel security controls such as adding insurance against a breach of information, adding certain two-person requirements (can be done many different ways), another role (security admin), or more background checking. More creative options would be including a golden parachute that would kick-in after departure from the company with no breach of information a year after resignation/firing, or more attention given to keeping the admins happy in general via some special perks with ties to these personnel requirements.
Pros:
Cons:
Once someone has administrative rights all bets are off as far as the security goes. This is exactly why administrators need such a high level of trust - there are always ways around any kind of blocks that can be put in place.
All you can really do is separate duties and set up a checks and balances system.
For example, you could use a secondary logging system (like Splunk or a Linux syslog server) that only your president / whoever has access to and configure file auditing for your secure directories.
Remove the administrators from the ACLs and forward changes to the ACL to the log server. It won't stop the event from happening but you will have a definite log of who changed the permissions when and how.
The more of these blocks you put in place the more likely you are to have someone stumble on one of them.
You should be aware that a person with that level of privilege can access data on Windows file shares regardless of the security permissions of the files/folders. This is due to the privileges that can be conferred in Windows when the "Backup Files and Directories" right is available.
With that right, someone can simply backup the files, and restore them to another location. And for extra credit, they could do it as a scheduled task running as system so it would be less than obvious during an audit. If that were not an option, they may have access to the backup system, and could restore the data from there to a location that may not be audited.
Without EFS, you may not be able to rely on the file system to guarantee confidentiality, permissions, auditing, or otherwise.
The SkyDrive option that sysadmin1138 sounded good to me for documents. The amount of documents that are truly sensitive are usually quite small, and SkyDrive gives you 7 GB for free (2GB file max). For an accounting system, that data should be protected in a real database by some level of encryption, and authentication that would not allow a Windows administrator access.