Tue, Aug 30 2005 19:30
Do Domain Admins have to have access to EVERYTHING?
From the mailbag today comes a question about Sharepoint security....
We discovered that a domain administrator has access to all sharepoint sites created on an SBS server. The issue here is when the execs in the company want to create a site to discuss business, financials, HR, etc., they probably need a domain admin to set it up. That is obviously a problem if the domain admin or anyone in the domain admins group has access to such sensitive information. I've not had a chance to look closely, but would this happen if the domain admins group had Administrator access to SQL and the Sharepoint site was SQL based? Any insight is appreciated.
So knowing that Chad Gross wrote the Sharepoint chapter in the SBS Unleashed that does indeed talk about changing some of the default permissions of Sharepoint to 'tighten' them up a bit, I ran the question also by him.... and he said
[Captain Obvious mode]
Well domain admins have access to everything, so if you can't trust your domain admins, time to start looking for a replacement.
[/Captain Obvious mode]
He went on to say that he saw this as an HR issue, not a technology issue. That you could have the same issue with Excel Spreadsheets in a shared folder. That admin is GOD.
It reminded me of the Blog post/article by Steve Riley which drives home the same thought... this isn't a technology problem...it's an HR problem here. Once that you need policies in place, not tweaking ACLs for.
So.. the answer is... no... you are going to have to put policies in place so you 'can' trust that Admin.
Filed under: Security