BF2S Forums windows ntfs permissions

I don't know much about network stuff, but why not just go over to their desk when they leave for the day?

jamiet757 wrote:

I don't know much about network stuff, but why not just go over to their desk when they leave for the day?

he'll know if we log on to his computer when he leaves... we want to gather a case first...

killer21 wrote:

WinXP Pro?  How do your users log in i.e., user name password?  CAC enforced? 

yes winxp pro, with the standard ctl+alt+del logon.  domain user id and password.

killer21 wrote:

The simple fact that he had to encrypt an entire drive or share should give you enough probable cause to search his pc doesn't it?  We allow encrypting of files but not an entire hdd.  There isn't much you can do other than wiping their machine but really defeats the purpose.  Legally, you won't be able to get into an encrypted share.  Illegally?  I know a lot about ntfs and trying to get through it is damn near impossible....legally. Perhaps there is another way...but I talked to a few other guys here and they all are in agreement that it is very hard to get through an encrypted folder/share/hard drive. 

he didnt encrypt it, afaik.  he has local admin rights to the machine, so he was able to add an NTFS permission entry to his c: drive that is denying me access to the root.  even though i am also a local admin, i cannot see the c drive because there is an explicit deny permission set, which takes precedence over the allow permission.  and doing anything locally to his machine would tip him off, thats why i want to do it over the network.  if i was able to get in, and also found an encrypted portion of his drive, then that would be a whole 'nother ball game...

Its kinda hard for anyone here to make suggestions not knowing what power you have over this guy, and the legal rights he has to the privacy of his machine. If he has none, walk up and tell him you need to check his computer.

If he does have the right to privacy, and you hack your way in and check it anyways... what good does that do? Your gonna bust him with illegal activities you found after illegally gaining access to his computer?

this sounds a little fishy... no offense...
If he works for a company... he's using company equipment right?
What does the head of the company say about this?

De_Jappe wrote:

Now IF you find something over the network, Then find that he's doing something bad and fire him.
Isn't he able to sue you then for illegitimately obtained proof?

Anyway few things I should think off is:
-Can't you log in as his account, as network-manager?
-Can't you sniff his packets over the network? Even if it's encrypted if you notice too much packets being sent, should be suspicious enough about software sharing.
-Log in with a live cd when he's away, browse the harddisk with that.

Those are alternatives, I just don't get how a local would be able to set permissions so the root can't change it but he can. Root should be able to change permissions any time, that's why it's the root.

If all else fails, confiscate his computer and give him a temp new one.

we've sniffed his packets, thats why we think he's up to something...

i dont know his password (and have no way of finding out unless i ask him) so i cant use his account.

the live CD is a good idea, i just need to make sure hes not going to be around or log on remotely.

as long as he has local admin rights, he can set the permissions on his local drives any way he sees fit.  he basically has the root account to his computer, and he has denied my network admin account from accessing his c drive root.  that isnt really enough to say hes breaking policy, because he deals with confidential company data, so i'd rather him be strict with file permissions.

the reason we are being so sketchy is because he is an IT person, so we need to make sure this guy doesnt do anything malicious to the network should we accuse him of any wrongdoing.  its a bad situation if we accuse him, and he isnt doing anything wrong.  he will then have a serious grudge against us which is not good should he decide to quit someday. 

VicktorVauhn wrote:

Its kinda hard for anyone here to make suggestions not knowing what power you have over this guy, and the legal rights he has to the privacy of his machine. If he has none, walk up and tell him you need to check his computer.

If he does have the right to privacy, and you hack your way in and check it anyways... what good does that do? Your gonna bust him with illegal activities you found after illegally gaining access to his computer?

he has no expectation of privacy.  its a company owned computer so we can do whatever we want.  but we certainly dont want to wrongfully acuse someone though because of the negative fallout.  see my double edged sword...   there are too many horror stories of disgruntled IT people wrecking the network when they get fired, so we have to be very careful with our investigation.

jsnipy wrote:

If you have been explicitly denied, and you have access to the management console make a new account and add it to admin.

score... sounds like a winner, except the group policy restricts which accounts can access the machine over the network.  not saying it would be hard to do, just time consuming, and perhaps noticeable to my target... a good idea nonetheless, especially if he doesnt really pay attention to any policy changes.

jsnipy wrote:

[TUF]Catbox wrote:

this sounds a little fishy... no offense...
If he works for a company... he's using company equipment right?
What does the head of the company say about this?

Well, the politics is his affair, he is asking how to do it technically.

@OP ...
Can you take ownership using xcacls?

exactly, we want to be delicate in our handling of the matter.  you dont walk up to a ten year employee and say "what the fuck are you doing" without having some damaging evidence that will prevent a wrongful termination lawsuit.

i cant get the cacls to work because every account i've tried is denied access.  i can make a new share on his machine if i specify an explicit path other than the c: drive, so he obviously has some folder on there he doesnt want us to see.  very tricky...

Scorpion0x17 wrote:

Erm, if you really are a net admin, why the fuck are you asking us? You should know this stuff. Or even have the authority to walk on up to them and tell them "I need to use your PC".

So, come on, fess up, who's PC you trying to hack?

lol i probably would think the same thing if i saw someone post this...  but seriously its not as easy as you think to do something like this without tipping him off.  remotely resetting permissions will be a dead giveaway, because he will see he is no longer the owner of the files and the permissions will have been changed.   

sure we can confiscate his computer and tell him to fuck off, but like i said, he holds an awful lot of confidential data on his system.  hes a database administrator with responsibility for a large, real-time database backend that form the core of several departments.  he could easily "accidentally" lose, destroy, or give this data to someone else, blame it on gremlins, and quit.  there is nothing like a disgruntled IT person who can fuck you over is a second.

Last edited by steelie34 (2008-08-06 20:04:16)

Scorpion0x17 wrote:

steelie34 wrote:

Scorpion0x17 wrote:

Erm, if you really are a net admin, why the fuck are you asking us? You should know this stuff. Or even have the authority to walk on up to them and tell them "I need to use your PC".

So, come on, fess up, who's PC you trying to hack?

lol i probably would think the same thing if i saw someone post this...  but seriously its not as easy as you think to do something like this without tipping him off.  remotely resetting permissions will be a dead giveaway, because he will see he is no longer the owner of the files and the permissions will have been changed.   

sure we can confiscate his computer and tell him to fuck off, but like i said, he holds an awful lot of confidential data on his system.  hes a database administrator with responsibility for a large, real-time database backend that form the core of several departments.  he could easily "accidentally" lose, destroy, or give this data to someone else, blame it on gremlins, and quit.  there is nothing like a disgruntled IT person who can fuck you over is a second.

If it was me, in his position, and I was not guilty I would accept it. If the situation was explained to me.

Going behind his back and trying to find some sneaky way of accessing his PC is the worse thing to do - it shows no trust in someone the company should, from the sound of it, trust.

In fact, if I were him, and not guilty, and you were to sneakily spy on me, then I'd be about 100000000 times more likely to do the things you fear he'll do.

all ill say is that there is an abnormal amount of data being broadcast to and from his system, pretty much indicates he is using a torrent client or otherwise.  this is strictly against corporate policy, and is grounds for termination. 

trust?  corporations trust no one, not even their own employees... which they probably trust less than their competitors.  he is being paid to do a job... his job is sensitive, but he is not immune to the policy.  because he has access to very sensitive information, we have to be absolutely certain we are correct before we take action.

steelie34 wrote:

Scorpion0x17 wrote:

steelie34 wrote:

lol i probably would think the same thing if i saw someone post this...  but seriously its not as easy as you think to do something like this without tipping him off.  remotely resetting permissions will be a dead giveaway, because he will see he is no longer the owner of the files and the permissions will have been changed.   

sure we can confiscate his computer and tell him to fuck off, but like i said, he holds an awful lot of confidential data on his system.  hes a database administrator with responsibility for a large, real-time database backend that form the core of several departments.  he could easily "accidentally" lose, destroy, or give this data to someone else, blame it on gremlins, and quit.  there is nothing like a disgruntled IT person who can fuck you over is a second.

If it was me, in his position, and I was not guilty I would accept it. If the situation was explained to me.

Going behind his back and trying to find some sneaky way of accessing his PC is the worse thing to do - it shows no trust in someone the company should, from the sound of it, trust.

In fact, if I were him, and not guilty, and you were to sneakily spy on me, then I'd be about 100000000 times more likely to do the things you fear he'll do.

all ill say is that there is an abnormal amount of data being broadcast to and from his system, pretty much indicates he is using a torrent client or otherwise.  this is strictly against corporate policy, and is grounds for termination. 

trust?  corporations trust no one, not even their own employees... which they probably trust less than their competitors.  he is being paid to do a job... his job is sensitive, but he is not immune to the policy.  because he has access to very sensitive information, we have to be absolutely certain we are correct before we take action.

This is getting sidetracked now, and ain't helping you, but, I've gotta say this - this corporate attitude, imo, is exactly why some people do take the piss and do things like running torrent clients.

The company puts the guy in position of great responsibility, probably pays him a huge wage, and then says "Oh, by the way, we don't trust you as far as we could throw you, so we're going to spy on you".

Like I said, if it was me in his shoes, and then I found out what you're trying to do, I'd fuck the company over so bad they'd never recover from it.

But, if my boss took me to one side and said summat like "we've been monitoring the network and have spotted some anomalous traffic coming from your PC, so we want to check it out" I'd be like "yeah, ok, no problem".

Innocent or not.

Like Catbox, the fact that you/the company isn't being up-front with him makes me think there's something you're not telling us.

Last edited by Scorpion0x17 (2008-08-06 20:25:52)

steelie34 wrote:

[TUF]Catbox wrote:

This guy is allowed to block access to a work computer and nobody has the authority to tell him not too?  Is he Jack Bauer...lol?
Why can't you tell the boss about this and have him confront the guy about his inappropriate use of a company computer...?

What other part of the story is missing?   Is this a personal issue with you and him?

look, i dont know if any of you have ever worked in IT in a windows environment, but what he did is not exactly hard, or bad.  alot of IT people restrict access to their computers.  we think, however, he might be doing something against policy, so my boss told me to discreetly find out if the guy is using his computer inappropriately.  and ffs discreetly means not telling the guy we are checking out his shit, so all the traditional methods are out the window, and im doing what i can to find out how best to go about this.  im just looking for some outside the box thinking...

And we're thinking outside the box labelled "I'm telling the truth".

Tell your boss to go through official channels if he suspects something.

steelie34 wrote:

Scorpion0x17 wrote:

Like I said, if it was me in his shoes, and then I found out what you're trying to do, I'd fuck the company over so bad they'd never recover from it.

this is what we're afraid of...

SHEESH! (and, I know, if you are telling the truth (and I mst admit I'm flipping between believing you and not), you're just following orders, so I'm saying this more to the company you work for than to you) THEN DON'T SPY ON HIM! Is that so fucking hard to understand???

steelie34 wrote:

Scorpion0x17 wrote:

But, if my boss took me to one side and said summat like "we've been monitoring the network and have spotted some anomalous traffic coming from your PC, so we want to check it out" I'd be like "yeah, ok, no problem".

Innocent or not.

Like Catbox, the fact that you/the company isn't being up-front with him makes me think there's something you're not telling us.

hey im just doing what im told... how they want to handle this situation is up to them, not me.  but then again i know the guy, and hes one of those real paranoid types who would probably flip out if they said they were watching his traffic...  i think the management basically knows hes been breaking policy, now they just want evidence so he cant come back with a lawsuit.  he knows what he's doing computer-wise, so there wouldn't be anomalous traffic unless he was being bad.  "pulling him aside" is moot at this point.

He's paranoid???



God, this reminds me why I'm becoming self-employed.

steelie34 wrote:

Scorpion0x17 wrote:

Tell your boss to go through official channels if he suspects something.

official channels?  my boss is the official channel.  i dont see why your so concerned about this guy.  this kind of shit happens everyday if offices all over the place.  he's breaking policy, so management wants evidence so they can cleanly fire him.  have you ever worked in a corporate environment before?  management routinely monitors employees work habits without their knowledge.  this is nothing new...

Yeah, and it's a vicious circle - the corp doesn't trust their employees, so the employees have no loyality to the corp, so the corp doesn't trust their employees, so... etc...

Oh, and maybe I'm him, you thought of that?

Last edited by Scorpion0x17 (2008-08-06 20:42:25)

Scorpion0x17 wrote:

Oh, and maybe I'm him, you thought of that?

for a minute there when i read your last reply, i was like "oh shit, this is probably the dude."

so if your a 55 year-old star trek geek who has 5 cats and pictures of them in your cubicle, just ignore the fact that i was the last user to log on to your computer.