Restrict take ownership rights

[Gunna]

I know this is a dumb question but i have to ask. Is there anyway I can
restrict members of a XP desktops local administrator group from taking
ownership of a folder. I have given a group access to a folder on a XP
machine and then taken the local administrators group access to the same
folder away. I want to ensure that local administrators cannot come along
and elevate their own privilleges by taking ownership.

The folder holds very sensitive data that adminis are not allowed to access
however they need local admin rights for some other reasons e.g. applying
patches and general admin. Is there another group on these desktops that can
be used for admin purposes like the Server Operators group for servers?

 

[Roger Abell [MVP]]

"Gunna" <Gunna@discussions.microsoft.com> wrote in message
news:98395013-C538-40FF-9DF4-C4CA427B5C2F@microsoft.com...
>I know this is a dumb question but i have to ask. Is there anyway I can
> restrict members of a XP desktops local administrator group from taking
> ownership of a folder. I have given a group access to a folder on a XP
> machine and then taken the local administrators group access to the same
> folder away. I want to ensure that local administrators cannot come along
> and elevate their own privilleges by taking ownership.
>
> The folder holds very sensitive data that adminis are not allowed to
> access
> however they need local admin rights for some other reasons e.g. applying
> patches and general admin. Is there another group on these desktops that
> can
> be used for admin purposes like the Server Operators group for servers?

That is not your solution. If the data is that sensitive and the admins are
not
sufficiently trusted, then find a different place to hold the data or use
rights
management, encryption, or some other means to protect the data.
You may remove the ability of members of the Administrators group to take
ownership, but it is all or none, not something you may selectively remove
for just the one folder. Anyway, removing that right would not prevent them
from getting at the data (consider the backup/restore route).

Roger

 

[Milo]

use cacls its built in in your Windows

For the commands:
technet.microsoft.com/en-us/library/bb490872.aspx

"Gunna" <Gunna@discussions.microsoft.com> wrote in message
news:98395013-C538-40FF-9DF4-C4CA427B5C2F@microsoft.com...
> I know this is a dumb question but i have to ask. Is there anyway I can
> restrict members of a XP desktops local administrator group from taking
> ownership of a folder. I have given a group access to a folder on a XP
> machine and then taken the local administrators group access to the same
> folder away. I want to ensure that local administrators cannot come along
> and elevate their own privilleges by taking ownership.
>
> The folder holds very sensitive data that adminis are not allowed to
> access
> however they need local admin rights for some other reasons e.g. applying
> patches and general admin. Is there another group on these desktops that
> can
> be used for admin purposes like the Server Operators group for servers?

 

[Gunna]

Roger,

I hear what your saying dont get me wrong. The problem isnt where the data
is held it's the data is generated on this machine. Backup and restore isnt
an issue as the data is not being backed up here. Suonds stupid I know. All
that matter is the data is generated by user who is authorised to log onto
the machine (these are the people who have access to the folder I want to
restrict from local admins), they run an app which generates some data and
then they grab that data and logoff. I need to be sure anyone in local admin
group cannot just take ownership and give themselves access to the folder and
therefore the app. And beofre you ask there is no access control built into
the app otherwise I would use that.

"Roger Abell [MVP]" wrote:

> "Gunna" <Gunna@discussions.microsoft.com> wrote in message
> news:98395013-C538-40FF-9DF4-C4CA427B5C2F@microsoft.com...
> >I know this is a dumb question but i have to ask. Is there anyway I can
> > restrict members of a XP desktops local administrator group from taking
> > ownership of a folder. I have given a group access to a folder on a XP
> > machine and then taken the local administrators group access to the same
> > folder away. I want to ensure that local administrators cannot come along
> > and elevate their own privilleges by taking ownership.
> >
> > The folder holds very sensitive data that adminis are not allowed to
> > access
> > however they need local admin rights for some other reasons e.g. applying
> > patches and general admin. Is there another group on these desktops that
> > can
> > be used for admin purposes like the Server Operators group for servers?
>
> That is not your solution. If the data is that sensitive and the admins are
> not
> sufficiently trusted, then find a different place to hold the data or use
> rights
> management, encryption, or some other means to protect the data.
> You may remove the ability of members of the Administrators group to take
> ownership, but it is all or none, not something you may selectively remove
> for just the one folder. Anyway, removing that right would not prevent them
> from getting at the data (consider the backup/restore route).
>
> Roger
>
>
>

 

[Roger Abell [MVP]]

My response is not changed.
If you could take away take ownership rights for only that folder (you
cannot) the admins could still use the ntbackup back app and then restore
the data somewhere else and look at it.
Your solution is in controlling to where the information is persisted when
it gets stored by the application. The filesystem alone will not meet the
needs you have defined.

Roger

"Gunna" <Gunna@discussions.microsoft.com> wrote in message
news:A91CF94A-BA30-424E-A2A6-5BE66514B08E@microsoft.com...
> Roger,
>
> I hear what your saying dont get me wrong. The problem isnt where the
> data
> is held it's the data is generated on this machine. Backup and restore
> isnt
> an issue as the data is not being backed up here. Suonds stupid I know.
> All
> that matter is the data is generated by user who is authorised to log onto
> the machine (these are the people who have access to the folder I want to
> restrict from local admins), they run an app which generates some data and
> then they grab that data and logoff. I need to be sure anyone in local
> admin
> group cannot just take ownership and give themselves access to the folder
> and
> therefore the app. And beofre you ask there is no access control built
> into
> the app otherwise I would use that.
>
> "Roger Abell [MVP]" wrote:
>
>> "Gunna" <Gunna@discussions.microsoft.com> wrote in message
>> news:98395013-C538-40FF-9DF4-C4CA427B5C2F@microsoft.com...
>> >I know this is a dumb question but i have to ask. Is there anyway I can
>> > restrict members of a XP desktops local administrator group from taking
>> > ownership of a folder. I have given a group access to a folder on a XP
>> > machine and then taken the local administrators group access to the
>> > same
>> > folder away. I want to ensure that local administrators cannot come
>> > along
>> > and elevate their own privilleges by taking ownership.
>> >
>> > The folder holds very sensitive data that adminis are not allowed to
>> > access
>> > however they need local admin rights for some other reasons e.g.
>> > applying
>> > patches and general admin. Is there another group on these desktops
>> > that
>> > can
>> > be used for admin purposes like the Server Operators group for servers?
>>
>> That is not your solution. If the data is that sensitive and the admins
>> are
>> not
>> sufficiently trusted, then find a different place to hold the data or use
>> rights
>> management, encryption, or some other means to protect the data.
>> You may remove the ability of members of the Administrators group to take
>> ownership, but it is all or none, not something you may selectively
>> remove
>> for just the one folder. Anyway, removing that right would not prevent
>> them
>> from getting at the data (consider the backup/restore route).
>>
>> Roger
>>
>>
>>