<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="Section1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D">I can agree on the potential headache, but the guidelines that we are having to follow as well as the statement of 'no-action' are somewhat conflicting, stating
that generalities are acceptable but specifics are required and many other brain twisters. Slight of hiring another person (or contractor), I am basically left with my own facilities to deal with it. I plan to create the server and enable SNMP for monitoring
and then hand over management of the account structure to the Export Compliant Officer. If I do it correctly, the only things that I will need to maintain are the OS patches and the hardware, she will be free to handle the credentials as she chooses. On paper
it sounds like a stroke of genius, but good ideas are sometimes the beginning of folly...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";
color:black"><a href="mailto:michael_haworth@pas-technologies.com">Michael Haworth</a></span></b><b><span style="font-size:10.0pt;font-family:"Calibri","sans-serif";
color:navy"><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";
color:navy">ESSM - PAS Technologies Inc.</span></b><span style="font-family:
"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";
color:black">D: (816) 556-5157</span><span style="font-size:10.0pt;font-family:
"Courier New";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";
color:black">M: (816) 585-1033</span><span style="font-family:"Courier New";
color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Nathan Cerny [mailto:ncerny@gmail.com]
<br>
<b>Sent:</b> Thursday, February 25, 2010 1:20 PM<br>
<b>To:</b> Monty J. Harder<br>
<b>Cc:</b> Haworth, Michael A.; KCLUG (E-mail)<br>
<b>Subject:</b> Re: Interesting challenge (for me at least)<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any time you have a "shared" set of credentials, it's a bad idea.<o:p></o:p></p>
<div>
<p class="MsoNormal">I think you're going to end up managing two separate credential stores to make something like this work...<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Thu, Feb 25, 2010 at 1:11 PM, Monty J. Harder <<a href="mailto:mjharder@gmail.com">mjharder@gmail.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">That domain admin could reset the password for an account with access to the share and gain entry anyway. A domain admin with a security problem is probably a compliance issue anyway.<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Thu, Feb 25, 2010 at 11:16 AM, Haworth, Michael A. <<a href="mailto:Michael_Haworth@pas-technologies.com" target="_blank">Michael_Haworth@pas-technologies.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in">
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">This is most likely pretty elementary, but I wanted to bounce it off of some people that know more than me and can point out any flaws in my very weary logic before I do a concept
presentation to my bosses:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I have a folder that has to be available on the network (currently Windows with AD), but
<b>must</b> be protected from unauthorized access (including access by Domain Admins). Here is what I think a valid solution
<i>could</i> be:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p>1.<span style="font-size:7.0pt"> </span>Build up a CentOS box.<o:p></o:p></p>
<p>2.<span style="font-size:7.0pt"> </span>Install and configure SAMBA to allow for sharing to windows computers.<o:p></o:p></p>
<p>3.<span style="font-size:7.0pt"> </span>Create a SAMBA share for the required folder (and sort out auto-mount in case of a reboot).<o:p></o:p></p>
<p>4.<span style="font-size:7.0pt"> </span>create two accounts - one to allow for Read/Write access to the shared folder and one to allow for Read-only access<o:p></o:p></p>
<p>5.<span style="font-size:7.0pt"> </span>Issue the account credentials to the manager of the folder (in this case, out Export Compliance Officer) and then allow it to be that persons problem to manage who knows the credentials.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I see this as a low stress, low cost, quick, and above all - easy - way to deal with a potential compliance issue. The reason that we can not simply use Active Directory to restrict
access is that one of our Domain Admins is a foreign national - if we were to place a 'deny access' on the folder, he could remove it if he wished - and getting rid of AD or Windows is not an option ATM, but it is still in process.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Any help from the list is greatly appreciated,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;color:black"><a href="mailto:michael_haworth@pas-technologies.com" target="_blank">Michael Haworth</a></span></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;color:black">Enterprise Systems Support Manager</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="color:navy">PAS Technologies Inc.</span></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Courier New";color:black">D: (816) 556-5157</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Courier New";color:black">M: (816) 585-1033</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:10.0pt;font-family:"Courier New";color:black">F: (816) 556-5189</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal"><span style="font-size:7.5pt;font-family:"Verdana","sans-serif";
color:gray">CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade
secret or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please
contact the sender by reply email and destroy all copies of the original message.</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
KCLUG mailing list<br>
<a href="mailto:KCLUG@kclug.org" target="_blank">KCLUG@kclug.org</a><br>
<a href="http://kclug.org/mailman/listinfo/kclug" target="_blank">http://kclug.org/mailman/listinfo/kclug</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br>
_______________________________________________<br>
KCLUG mailing list<br>
<a href="mailto:KCLUG@kclug.org">KCLUG@kclug.org</a><br>
<a href="http://kclug.org/mailman/listinfo/kclug" target="_blank">http://kclug.org/mailman/listinfo/kclug</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<br>
-- <br>
Nathan Cerny<br>
<br>
-------------------------------------------------------------------------------<br>
-------------------------------------------------------------------------------<o:p></o:p></p>
</div>
</div>
<br>
<hr>
<font face="Verdana" color="Gray" size="1">CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies
of the original message.<br>
</font>
</body>
</html>