Educause Security Discussion mailing list archives
Re: Student workers & shared drive restrictions
From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Mon, 1 Jun 2009 18:10:33 -0400
I understand your pain as many probably do. We've had similar hurdles. IMHO, the real problem is two-fold. 1) Students are assigned tasks with access to things that they really shouldn't have access to as non-official workers- or that should be done by FTEs on the basis of accountability alone. 2) Departments shares are not appropriately maintained so that data within shares is structured well so that less secure parts of the share (group folder) only contain appropriate data that is accessible by everyone. Both these issues are actually user-generated issues and don't have real good technology solutions in general. Suggestions ---------------- One thing you could possibly consider (is to give the students local machine accounts on the appropriate computers and simply allow those local machine accounts access to the server share. Of course you lose A/D management so that's not the best idea either. If you do have a well segmented network, you could simply do this with firewalls and routing as one person mentioned, but this can lack granular security when students roam. Finally you might consider giving the students special-use A/D accounts that you only allow to login to those specific machines, during specific hours (Ex, 8-5pm). Then, when they're working, they don't login as their usual jdoe123- they instead use jdoe123atwork. You retain central management, you can pre-set expiration dates if you know how long the students will work, and you can easily use group management to find out exactly where the students are. I would recommend using a special prefix so that you can quickly identify where these accounts are throughout the enterprise. Sorry don't have any better ideas at the moment, but this really is technology trying to handle people issues. Dexter Caldwell Furman University The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes:
I'm the original poster, and I'm trying to replace trade one problem for another one. Currently I have areas where 20 student workers all share a set of credentials which they use when working. The main difference between their regular ID and this one is that this one maps a department share instead of their regular drive mappings. I want to move away them away from using these shared accounts, with my end goal being accountability. I want to be able to tie an action performed by a given account to a specific person, instead of a group of people. The pushback that I'm getting is that student workers will have access to the departmental shared drives outside of work, and will copy files that they should not have. This is not a very good argument, as the students could copy the files while at work through multiple different methods (USB, our WebDAV shares, email, etc). In order to gain the accountability that I'm looking for, I need to provide a method that will be computer-aware in determining which drives to map. So when a student worker logs in to one of the machines in the department offices they work in, only the department share is mapped. And when they log in anywhere else on campus, only their personal share is mapped. I think that either of the two solutions I've seen before might work in our environment, but if there are other solutions being used at other schools I'd like to hear about them. Joe -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks Sent: Monday, June 01, 2009 2:47 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Student workers & shared drive restrictions On Mon, 01 Jun 2009 14:01:17 EDT, Brad Judy said:What about simply using the host firewall on the file server to onlyallowconnections from departmental machines? This is the typical way toresolvethis issue and I've used it many times.Works great, unless you have other shares that you *do* want accessible from other non-departmental machines (consider the case where some shares are accessible via VPN connections, for instance). A related question would be: What sort of misbehavior is the original poster trying to prevent by only allowing access when they're using computers in the department? Hopefully those systems don't have any user-accessible USB ports on them, or web or e-mail access, or any of the zillions of other ways they could abscond with sensitive information while logged in on the departmental computer... (I'm not saying the original poster doesn't have a legitimate business need, I'm just an idiot and not understanding the problem he's trying to solve yet).
Current thread:
- Student workers & shared drive restrictions Bazeley, Joseph E. (Jun 01)
- <Possible follow-ups>
- Re: Student workers & shared drive restrictions Brian Desmond (Jun 01)
- Re: Student workers & shared drive restrictions Brad Judy (Jun 01)
- Re: Student workers & shared drive restrictions Valdis Kletnieks (Jun 01)
- Re: Student workers & shared drive restrictions Bazeley, Joseph E. (Jun 01)
- Re: Student workers & shared drive restrictions Valdis Kletnieks (Jun 01)
- Re: Student workers & shared drive restrictions Spransy, Derek (Jun 01)
- Re: Student workers & shared drive restrictions Dexter Caldwell (Jun 01)
- Re: Student workers & shared drive restrictions Bob Kalal (Jun 01)
- Re: Student workers & shared drive restrictions Spransy, Derek (Jun 01)
- Re: Student workers & shared drive restrictions Valdis Kletnieks (Jun 01)
- Re: Student workers & shared drive restrictions Charles Buchholtz (Jun 01)
- Re: Student workers & shared drive restrictions Witmer, Robert (Jun 01)