Educause Security Discussion mailing list archives
Re: Student workers & shared drive restrictions
From: "Spransy, Derek" <DSPRANS () EMORY EDU>
Date: Mon, 1 Jun 2009 17:43:21 -0400
What prevents them from mapping a drive while they're not at work using the generic account now if they know the UNC path? Login scripts and group policy preferences can be used to change which drive maps on what computer, but students could always manually map a drive from anywhere in which they have access to the server. Once someone is given access to data, then it's hard to prevent them from abusing it. You just have to have an audit trail that can tell you what happened. We have a nearly identical set up for one of our administrative units that employs a number of work study students. These students move around within the department quite frequently, and through group membership are allowed to login to any student worker computer. From there they have permissions only to the folders within the share that they need access to. We used to use generic accounts as well, but found the same problems with accountability. Each semester (or as needed) the department tells us who to remove. You can't really add computer accounts to the share to accomplish what you wish (since the user account makes the request, and not the computer account). If they have access to the share, then it would be difficult to prevent them from mapping the drive somewhere else unless you only allow the department's subnet to access the file sharing ports on the server. All of our students have to sign a confidentiality agreement as part of their employment too, which does give you some legal coverage if something should happen. It's also a best practice to avoid giving students access to data that with a high level of sensitivity as well. Hope that helps! If you'd like more details on our set up I'd be happy to share offline. -Derek ===================== Derek Spransy IT Security Lead Emory College of Arts & Sciences derek.spransy () emory edu ===================== ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bazeley, Joseph E. [bazeleje () MUOHIO EDU] Sent: Monday, June 01, 2009 5:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Student workers & shared drive restrictions I'm the original poster, and I'm trying to replace trade one problem for another one. Currently I have areas where 20 student workers all share a set of credentials which they use when working. The main difference between their regular ID and this one is that this one maps a department share instead of their regular drive mappings. I want to move away them away from using these shared accounts, with my end goal being accountability. I want to be able to tie an action performed by a given account to a specific person, instead of a group of people. The pushback that I'm getting is that student workers will have access to the departmental shared drives outside of work, and will copy files that they should not have. This is not a very good argument, as the students could copy the files while at work through multiple different methods (USB, our WebDAV shares, email, etc). In order to gain the accountability that I'm looking for, I need to provide a method that will be computer-aware in determining which drives to map. So when a student worker logs in to one of the machines in the department offices they work in, only the department share is mapped. And when they log in anywhere else on campus, only their personal share is mapped. I think that either of the two solutions I've seen before might work in our environment, but if there are other solutions being used at other schools I'd like to hear about them. Joe -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Monday, June 01, 2009 2:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Student workers & shared drive restrictions On Mon, 01 Jun 2009 14:01:17 EDT, Brad Judy said:
What about simply using the host firewall on the file server to only allow connections from departmental machines? This is the typical way to resolve this issue and I've used it many times.
Works great, unless you have other shares that you *do* want accessible from other non-departmental machines (consider the case where some shares are accessible via VPN connections, for instance). A related question would be: What sort of misbehavior is the original poster trying to prevent by only allowing access when they're using computers in the department? Hopefully those systems don't have any user-accessible USB ports on them, or web or e-mail access, or any of the zillions of other ways they could abscond with sensitive information while logged in on the departmental computer... (I'm not saying the original poster doesn't have a legitimate business need, I'm just an idiot and not understanding the problem he's trying to solve yet). This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments).
Current thread:
- Student workers & shared drive restrictions Bazeley, Joseph E. (Jun 01)
- <Possible follow-ups>
- Re: Student workers & shared drive restrictions Brian Desmond (Jun 01)
- Re: Student workers & shared drive restrictions Brad Judy (Jun 01)
- Re: Student workers & shared drive restrictions Valdis Kletnieks (Jun 01)
- Re: Student workers & shared drive restrictions Bazeley, Joseph E. (Jun 01)
- Re: Student workers & shared drive restrictions Valdis Kletnieks (Jun 01)
- Re: Student workers & shared drive restrictions Spransy, Derek (Jun 01)
- Re: Student workers & shared drive restrictions Dexter Caldwell (Jun 01)
- Re: Student workers & shared drive restrictions Bob Kalal (Jun 01)
- Re: Student workers & shared drive restrictions Spransy, Derek (Jun 01)
- Re: Student workers & shared drive restrictions Valdis Kletnieks (Jun 01)
- Re: Student workers & shared drive restrictions Charles Buchholtz (Jun 01)
- Re: Student workers & shared drive restrictions Witmer, Robert (Jun 01)