From: aral@nurfuerspam.de   
      
   Bruce Chambers wrote:   
   >     There are multiple methods, some built into the OS, some provided by   
   > 3rd party vendors.  You'll have to ask *your* domain which specific   
   > mechanism(s) *he/she* uses.   
      
   I am pretty sure they will say "none". Or even claim that they don't   
   have control over systems :) And even if they don't intend to access   
   clients, we have spies (according to our IT security department the   
   question is not IF but HOW MANY), and there is no reason to assume none   
   of them would have access to domain admin accounts.   
      
   >     Perhaps, but I've no way of confirming that, have I?   
   Doesn't really matter though, for this topic.   
      
   >     You'd also have to ensure that no one has physical access to the   
   > machine, as well.  Without physical security, there is no security. It'd   
      
   I know. But it's a different thing if someone has to break into my   
   office, or can silently read out my computers data over the network.   
      
   And even with my office doors unlocked (when I'm getting a coffee or   
   something), rebooting the computer and cracking passwords (or even   
   opening the case and removing the hard drive) takes definitely longer   
   and is more easily detected than logging on using a domain account and   
   simply accessing my data. And...   
      
   >     File Encryption would stop an amateur from accessing your files, but   
   > only delay a professional.   
      
   ...that is where TrueCrypt or the likes may come in useful. However I   
   disagree with you a little in the delaying part: If the encryption is   
   good (though I have no idea what kind of encryption quality can be   
   achieved without a huge performance impact), it would delay a   
   professional for a couple of years if not longer :)   
      
   >> That is not a really helpful answer.   
   >   
   >     Nor was it intended to be.  As a network administrator, myself, with   
   > a side specialty in computer/network security, I'm not going to   
   > knowingly assist an unknown individual compromise the security of some   
   > other administrator's network/domain.   
      
   I didn't ask for that kind of information, I asked for securing my   
   system against unwanted access. I guess you are aware that - if the   
   access is "authorized" and if the domain admins *tried* to access my   
   system - if I blocked them out successfully, they would surely notice   
   and get back to me about it... So I don't see an issue here.   
      
      
   However, I definitely disapprove of this "security by obscurity"   
   approach...  By not openly discussing the means of corrupting/securing   
   any kind of System (and XP here), the people who benefit the most are   
   criminals that have a motivation to corrupt other people's systems...   
      
   If every computer in the whole wide world had a perfect firewall (no, I   
   don't mean physically cutting the network cable), that would be a severe   
   improvement of the current situation.   
      
   As for my situation here, I was looking for a mechanism that I can   
   *name* to our IT department and tell them "See? With *that* mechanism,   
   the active directory inclusion of all machines will give you FULL   
   CONTROL over each system, if you so wish." Because I know if that can be   
   proven, the topic will be discussed again - there are a lot of institute   
   IT managers here that disapprove of such a thing.   
      
   Best Regards & thanks for the info anyways!   
      
      Lars   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)