[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Do Domain Admins have to have access to EVERYTHING? - THE OFFICIAL BLOG OF THE SBS DIVA
Tue, Aug 30 2005 19:30 bradley

Do Domain Admins have to have access to EVERYTHING?

From the mailbag today comes a question about Sharepoint security....

We discovered that a domain administrator has access to all sharepoint sites created on an SBS server.  The issue here is when the execs in the company want to create a site to discuss business, financials, HR, etc., they probably need a domain admin to set it up.  That is obviously a problem if the domain admin or anyone in the domain admins group has access to such sensitive information.  I've not had a chance to look closely, but would this happen if the domain admins group had Administrator access to SQL and the Sharepoint site was SQL based?  Any insight is appreciated.

So knowing that Chad Gross wrote the Sharepoint chapter in the SBS Unleashed that does indeed talk about changing some of the default permissions of Sharepoint to 'tighten' them up a bit, I ran the question also by him.... and he said

[Captain Obvious mode]

Well domain admins have access to everything, so if you can't trust your domain admins, time to start looking for a replacement.

[/Captain Obvious mode]

He went on to say that he saw this as an HR issue, not a technology issue.  That you could have the same issue with Excel Spreadsheets in a shared folder.  That admin is GOD. 

It reminded me of the Blog post/article by Steve Riley which drives home the same thought... this isn't a technology problem...it's an HR problem here.  Once that you need policies in place, not tweaking ACLs for.

So.. the answer is... no... you are going to have to put policies in place so you 'can' trust that Admin.

Filed under:

# re: Do Domain Admins have to have access to EVERYTHING?

Tuesday, August 30, 2005 10:24 PM by bradley

I get that question AAAAAAAALLLLLL the time.

But Vlad, can't you read my email?

Yes. I can. And oh my god, do I ever! I can't wait to get to my Outlook in the morning and review whats new in interesting in EACH AND EVERY ONE OF MY 23,000 CUSTOMERS mailboxes.

Sarcasm aside, this is not just an HR issue but also a management issue. If your IT workers are so poorly managed that they have spare time to kill by browsing company SharePoint or Exchange mailboxes then you should have some spare room in your budget as you read this post. You need an audit policy but more importantly you need to let your IT people know that there is an audit policy. That there is a anti-pornography policy. That there is a don't be an idiot policy. That there is PUNISHMENT involved. If the only deterent to hacking is "you might get fired" than what is there to stop information theft by a disgruntaled employee who is getting ready to walk?

If employees are aware of what is allowed and what is not allowed, including what is being audited, they will be less likely to do stupid things. I've never talked to a rougue admin on IRC who was trying to hack around the company security systems... it's usually more along the lines of "I can do this, there is absolutely nothing in place."

Having nothing in place is the problem here, not the design of the system.