How to Stop a System Administrator from Accessing Particular Resources

airzone on 22/03/2017 - 00:27

Hi guys,

I am planning for a scenario where one of my system administrators will not legally be allowed access to particular network resources. This needs to be considered from both a logical and a physical perspective. Despite him being an honest guy, I have to consider what he can do, not what he will do.

The resources might be a small file server. A handful of users will need to be able to access these resources on their regular PC's, but the access will need to be logged and they will not be able to copy files outside of this specific environment.

Only these specific users will be able to have IP connectivity to these resources. They will be able to access it from a number of places on-site, but other people should not be able to access it using the same ports.

The users will be able to use a publicly accessible printer.

The environment will also need to be backed up to tape. He will be able to change the tapes as they will be encrypted.

My general thoughts are along the following lines:

  • Build a new domain for these resources. Might set up a one-way trust, maybe not.
  • Use Citrix or RDP to allow a user to access the stuff
  • Environment on different box to regular gear
  • Environment goes into a different, locked rack. Tape drive can go into the regular rack.

The network is giving me a headache though.. On the surface it seems like a clean-cut case of a protected vlan and use 802.1x to govern access. This administrator has access to the switches in the field and core, so he could easily set his own ports native vlan to the protected vlan. Maybe an alternative is to sit the environment behind an internal firewall and vpn to it?

Thoughts? Is there a better (or less complex) way of doing this perhaps? Am I overlooking something?

Computing

Comments

  • whooah1979 on 22/03/2017 - 00:42

    This sounds like homework? Is it homework?

    • airzone on 22/03/2017 - 01:03

      no.

  • rompastompa on 22/03/2017 - 00:52
    +2

    Hire another system administrator to assess and modify network accordingly. Change passwords of all users/devices. Give the sysadmin 4 weeks notice (or whatever is in contract), and pay them out.

    • airzone on 22/03/2017 - 00:59

      Heh, we'll get another unfair termination style of post in a few days lol.. I can't sack him.

  • rthrowaway on 22/03/2017 - 01:08

    i feel like we're missing a bit of detail here - what is your position in this environment? reason i'm asking is that you don't sound like a particularly technical kind of person and a downfall is if you think you can out-think someone that's been hired to know his stuff. could be dangerous if you throw yourself in the deep end here and aren't prepared/dont know enough tech to be able to support yourself.

    • airzone on 22/03/2017 - 01:36

      I run it, and the sysadmin is my staff. I'm being a bit vague on purpose, and for the rest, it's mostly conceptual at the moment. Admittedly though, I've never had to retrospectively lock a sysadmin out of specific stuff before, so here I am looking for some rough guidance on what works and what doesn't. Access to this stuff comes at a personal cost that will greatly impact his home life, so he's obviously not keen. I can't compel him, and ongoing the management of this special stuff isn't particularly onerous. It's not that I don't want him to find my secret pr0n collection on the file servers.

      • rthrowaway on 22/03/2017 - 01:58
        +1

        thats all good to hear, i was very scared you were a business owner trying to tinker a bunch too much and think you could keep anything locked out from a sys admin in a system he manages.

        so, if you're the one that runs it all, the vagueness is fair enough and you shouldn't disclose any more information and can leave it there. in terms of the technology requirements behind it all - you've got the best idea of the situation since you have the full picture and what would work // what wouldn't work. (though just confirming…. you know backup encrypted backup tapes are made to be decrypted by w/e backup software you're using with it right? only thing here is if he doesn't have the password/access to the software.)

        now for the "throw around random ideas for you" part
        as for the actual environment you'd be setting up for the people that needed it - i'd say you're maybe overcomplicating things with the networking side of it as this part probably matters the least considering the guy has access to all the gear. for the TS setup - probably get setup on its own vlan w/ port forward for respective rdp port + obviously not joining it to the main domain at any stage — this would get it separated from the rest of the network for file copy purposes (ie, wont be able to push files to other devices) (( you'd also want to lock down what the ts environment wants to grab from it's remoting environment — ie, just printers.))

        ^ that should get the TS environment going assuming you're in a windows environment

  • altomic on 22/03/2017 - 02:26

    using TRIM/RM8 and install privileges/access?

    • airzone on 22/03/2017 - 12:38

      As in the HP solution?

  • btech on 22/03/2017 - 18:32

    If you're going to use Citrix or RDS I don't see why you need to worry about the networking. Just lock down the server access. It seems to me like you pretty much have the solution there - you just need to deal with the admin permissions issues so things like another AD domain may be the right track unless you can lock down admin rights. Might be a little hard in an established/complex environment, but this article may help with thinking about the admin rights issues:

    https://technet.microsoft.com/en-us/windows-server-docs/iden…

    HTH

Login or Join to leave a comment
Login Join