Interesting challenge (for me at least)

Monty J. Harder mjharder at gmail.com
Thu Feb 25 13:11:51 CST 2010 

That domain admin could reset the password for an account with access to the
share and gain entry anyway.  A domain admin with a security problem is
probably a compliance issue anyway.

On Thu, Feb 25, 2010 at 11:16 AM, Haworth, Michael A. <
Michael_Haworth at pas-technologies.com> wrote:

>  This is most likely pretty elementary, but I wanted to bounce it off of
> some people that know more than me and can point out any flaws in my very
> weary logic before I do a concept presentation to my bosses:
>
>
>
> I have a folder that has to be available on the network (currently Windows
> with AD), but *must* be protected from unauthorized access (including
> access by Domain Admins). Here is what I think a valid solution *could*be:
>
>
>
> 1.       Build up a CentOS box.
>
> 2.       Install and configure SAMBA to allow for sharing to windows
> computers.
>
> 3.       Create a SAMBA share for the required folder (and sort out
> auto-mount in case of a reboot).
>
> 4.       create two accounts - one to allow for Read/Write access to the
> shared folder and one to allow for Read-only access
>
> 5.       Issue the account credentials to the manager of the folder (in
> this case, out Export Compliance Officer) and then allow it to be that
> persons problem to manage who knows the credentials.
>
>
>
> I see this as a low stress, low cost, quick, and above all - easy - way to
> deal with a potential compliance issue. The reason that we can not simply
> use Active Directory to restrict access is that one of our Domain Admins is
> a foreign national - if we were to place a 'deny access' on the folder, he
> could remove it if he wished - and getting rid of AD or Windows is not an
> option ATM, but it is still in process.
>
>
>
> Any help from the list is greatly appreciated,
>
> *Michael Haworth <michael_haworth at pas-technologies.com>***
>
> Enterprise Systems Support Manager
>
> *PAS Technologies Inc.*
>
> D: (816) 556-5157
>
> M: (816) 585-1033
>
> F: (816) 556-5189
>
>
>
> ------------------------------
> CONFIDENTIALITY NOTICE: This email message and any attachments are for the
> sole use of the intended recipient(s) and may contain proprietary,
> confidential, trade secret or privileged information. Any unauthorized
> review, use, disclosure or distribution is prohibited and may be a violation
> of law. If you are not the intended recipient or a person responsible for
> delivering this message to an intended recipient, please contact the sender
> by reply email and destroy all copies of the original message.
>
> _______________________________________________
> KCLUG mailing list
> KCLUG at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20100225/5a8ef988/attachment.htm>

More information about the KCLUG mailing list