Problem solve Get help with specific problems with your technologies, process and projects.

How to create a (very) limited access directory on a network

Network security expert Mike Chapple explains the best way to create a limited access directory, without giving network administrators the "keys to the kingdom."

I run a midsized company. Recently we created a limited access directory on our network where upper-level executives could share sensitive files (mostly related to payroll, employee files, etc.). The problem is that I don't want even the IT people who set up the directory and administered the entire network to have access. What methods or technologies should I consider?
This is a tough question. Generally speaking, system administrators have the proverbial "keys to the kingdom." They occupy sensitive positions of trust and can generally defeat any security controls that you put in place. After all, they sometimes need this capability to recover critical data or perform system maintenance.

I think the best option for the scenario you describe is to use a form of encryption that does not store the encryption keys in a manner where they are accessible to system administrators. If you're using Microsoft Office 2007, the easiest way to do this is to use Office's built-in encryption feature to password-protect your files. You'll need to share the password with other upper-level executives in an offline fashion. (Remember, if you email it, chances are the network administrator can read your email!)

Also, notice that I specifically said that this option applies only to those using Office 2007. This latest release of Microsoft Office uses the strong AES encryption algorithm to protect data. Earlier versions of Office use a much more primitive algorithm that is easy to defeat.

More information:

  • Contributor Brien Posey reviews ways to avoid encryption-related data loss.
  • Learn best practices for successful encryption key management.
  • This was last published in October 2008

    Dig Deeper on Active Directory security

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.