> I think Backup rights are enough, no need to change ownership
> etc.
Backup rights, membership in the Backup Operators group, Server
Operators Group, or anyone assigned explicitly the right to Backup Files
and Directories (and typically its sister right to Restore Files and
Directories) do not have the facility to Read, Write, Execute, Delete,
Change Permissions or Take Ownership of Files or Directories, outside
the use of a program which uses Backup or Restore functions specific to
NT (copying a file in a DOS window would not work for these users, for
example). The API calls to perform Backup or Restore operations register
events in the event log stating that such an action has been taken.
Obviously, the tape contains all the data and that could be read on
another system outside of the Domain very easily, but if the data was
restored into the same NT environment, it would still not be possible to
read the data as a member of the above mentioned groups.
Just because one is a member of the above mentioned groups does not
permit them access to directories or files through normal access methods
(i.e. File Manager, DOS, or Explorer in NT 4.0).
Obviously its possible to programmatically simulate a backup program,
and while generating an event indicating the backup, have that program
display the contents of the data being backed up. Judicious granting of
the right, or membership in the above mentioned groups, therefore, is
extremely wise.
An often overlooked, and possibly more critical right, is the ability to
perform restore operations. Restoring a system to a pre-secure state (or
some previously secure state which the perpetrator has some knowledge
of) can be far more damaging than losing a current backup.
Cheers,
Russ
"any sufficiently advanced technology is indistinguishable from
magic"...Arthur C. Clarke
>
|
|
