Interesting challenge (for me at least)

Haworth, Michael A. Michael_Haworth at pas-technologies.com
Thu Feb 25 13:20:24 CST 2010 

This is essentially the core of the problem - the domain admin is capable of assuming control of an account that does have access. The D.O.D. recommended one of two solutions - remove his DA credentials (not a chance due to his responsibilities and duties) or find a way to control access that is not affected by AD. I have looked at several apps that claim they can control access to folders by adding a second authentication, but they are all worthless when you access from a network share (they either completely block or completely allow due to issues with AD interaction) - none of them have worked. SAMBA doesn't have to be bound to AD and remote access to the server can be better controlled (IMHO) by simply not releasing information. The D.O.D. rep acknowledged that a Linux solution would be recognized by them provided that we can demonstrate the security.

Michael Haworth<mailto:michael_haworth at pas-technologies.com>
ESSM - PAS Technologies Inc.
D: (816) 556-5157
M: (816) 585-1033

From: Monty J. Harder [mailto:mjharder at gmail.com]
Sent: Thursday, February 25, 2010 1:12 PM
To: Haworth, Michael A.
Cc: KCLUG (E-mail)
Subject: Re: Interesting challenge (for me at least)

That domain admin could reset the password for an account with access to the share and gain entry anyway.  A domain admin with a security problem is probably a compliance issue anyway.
On Thu, Feb 25, 2010 at 11:16 AM, Haworth, Michael A. <Michael_Haworth at pas-technologies.com<mailto:Michael_Haworth at pas-technologies.com>> wrote:
This is most likely pretty elementary, but I wanted to bounce it off of some people that know more than me and can point out any flaws in my very weary logic before I do a concept presentation to my bosses:

I have a folder that has to be available on the network (currently Windows with AD), but must be protected from unauthorized access (including access by Domain Admins). Here is what I think a valid solution could be:


1.       Build up a CentOS box.

2.       Install and configure SAMBA to allow for sharing to windows computers.

3.       Create a SAMBA share for the required folder (and sort out auto-mount in case of a reboot).

4.       create two accounts - one to allow for Read/Write access to the shared folder and one to allow for Read-only access

5.       Issue the account credentials to the manager of the folder (in this case, out Export Compliance Officer) and then allow it to be that persons problem to manage who knows the credentials.

I see this as a low stress, low cost, quick, and above all - easy - way to deal with a potential compliance issue. The reason that we can not simply use Active Directory to restrict access is that one of our Domain Admins is a foreign national - if we were to place a 'deny access' on the folder, he could remove it if he wished - and getting rid of AD or Windows is not an option ATM, but it is still in process.

Any help from the list is greatly appreciated,
Michael Haworth<mailto:michael_haworth at pas-technologies.com>
Enterprise Systems Support Manager
PAS Technologies Inc.
D: (816) 556-5157
M: (816) 585-1033
F: (816) 556-5189


________________________________
CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message.

_______________________________________________
KCLUG mailing list
KCLUG at kclug.org<mailto:KCLUG at kclug.org>
http://kclug.org/mailman/listinfo/kclug


________________________________
CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20100225/7d4f3233/attachment-0001.htm>

More information about the KCLUG mailing list