Interesting challenge (for me at least)

Nathan Cerny ncerny at gmail.com
Thu Feb 25 13:19:53 CST 2010 

Any time you have a "shared" set of credentials, it's a bad idea.
I think you're going to end up managing two separate credential stores to
make something like this work...


On Thu, Feb 25, 2010 at 1:11 PM, Monty J. Harder <mjharder at gmail.com> wrote:

> That domain admin could reset the password for an account with access to
> the share and gain entry anyway.  A domain admin with a security problem is
> probably a compliance issue anyway.
>
> On Thu, Feb 25, 2010 at 11:16 AM, Haworth, Michael A. <
> Michael_Haworth at pas-technologies.com> wrote:
>
>>  This is most likely pretty elementary, but I wanted to bounce it off of
>> some people that know more than me and can point out any flaws in my very
>> weary logic before I do a concept presentation to my bosses:
>>
>>
>>
>> I have a folder that has to be available on the network (currently Windows
>> with AD), but *must* be protected from unauthorized access (including
>> access by Domain Admins). Here is what I think a valid solution *could*be:
>>
>>
>>
>> 1.       Build up a CentOS box.
>>
>> 2.       Install and configure SAMBA to allow for sharing to windows
>> computers.
>>
>> 3.       Create a SAMBA share for the required folder (and sort out
>> auto-mount in case of a reboot).
>>
>> 4.       create two accounts - one to allow for Read/Write access to the
>> shared folder and one to allow for Read-only access
>>
>> 5.       Issue the account credentials to the manager of the folder (in
>> this case, out Export Compliance Officer) and then allow it to be that
>> persons problem to manage who knows the credentials.
>>
>>
>>
>> I see this as a low stress, low cost, quick, and above all - easy - way to
>> deal with a potential compliance issue. The reason that we can not simply
>> use Active Directory to restrict access is that one of our Domain Admins is
>> a foreign national - if we were to place a 'deny access' on the folder, he
>> could remove it if he wished - and getting rid of AD or Windows is not an
>> option ATM, but it is still in process.
>>
>>
>>
>> Any help from the list is greatly appreciated,
>>
>> *Michael Haworth <michael_haworth at pas-technologies.com>***
>>
>> Enterprise Systems Support Manager
>>
>> *PAS Technologies Inc.*
>>
>> D: (816) 556-5157
>>
>> M: (816) 585-1033
>>
>> F: (816) 556-5189
>>
>>
>>
>> ------------------------------
>> CONFIDENTIALITY NOTICE: This email message and any attachments are for the
>> sole use of the intended recipient(s) and may contain proprietary,
>> confidential, trade secret or privileged information. Any unauthorized
>> review, use, disclosure or distribution is prohibited and may be a violation
>> of law. If you are not the intended recipient or a person responsible for
>> delivering this message to an intended recipient, please contact the sender
>> by reply email and destroy all copies of the original message.
>>
>> _______________________________________________
>> KCLUG mailing list
>> KCLUG at kclug.org
>> http://kclug.org/mailman/listinfo/kclug
>>
>
>
> _______________________________________________
> KCLUG mailing list
> KCLUG at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>



-- 
Nathan Cerny

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20100225/065f5bab/attachment.htm>

More information about the KCLUG mailing list