This is most likely pretty elementary, but I wanted to bounce it off of some people that know more than me and can point out any flaws in my very weary logic before I do a concept presentation to my bosses:
I have a folder that has to be available on the network (currently Windows with AD), but
must be protected from unauthorized access (including access by Domain Admins). Here is what I think a valid solution
could be:
1.
Build up a CentOS box.
2.
Install and configure SAMBA to allow for sharing to windows computers.
3.
Create a SAMBA share for the required folder (and sort out auto-mount in case of a reboot).
4.
create two accounts - one to allow for Read/Write access to the shared folder and one to allow for Read-only access
5.
Issue the account credentials to the manager of the folder (in this case, out Export Compliance Officer) and then allow it to be that persons problem to manage who knows the credentials.
I see this as a low stress, low cost, quick, and above all - easy - way to deal with a potential compliance issue. The reason that we can not simply use Active Directory to restrict access is that one of our Domain Admins is a foreign national
- if we were to place a 'deny access' on the folder, he could remove it if he wished - and getting rid of AD or Windows is not an option ATM, but it is still in process.
Any help from the list is greatly appreciated,
Enterprise Systems Support Manager
PAS Technologies Inc.
D: (816) 556-5157
M: (816) 585-1033
F: (816) 556-5189