Re: Student workers & shared drive restrictions

["Spransy, Derek" <DSPRANS () EMORY EDU>]

What prevents them from mapping a drive while they're not at work using the generic account now if they know the UNC 
path?  Login scripts and group policy preferences can be used to change which drive maps on what computer, but students 
could always manually map a drive from anywhere in which they have access to the server.  Once someone is given access 
to data, then it's hard to prevent them from abusing it.  You just have to have an audit trail that can tell you what 
happened.

We have a nearly identical set up for one of our administrative units that employs a number of work study students.  
These students move around within the department quite frequently, and through group membership are allowed to login to 
any student worker computer.  From there they have permissions only to the folders within the share that they need 
access to.  We used to use generic accounts as well, but found the same problems with accountability.  Each semester 
(or as needed) the department tells us who to remove.  You can't really add computer accounts to the share to 
accomplish what you wish (since the user account makes the request, and not the computer account).  If they have access 
to the share, then it would be difficult to prevent them from mapping the drive somewhere else unless you only allow 
the department's subnet to access the file sharing ports on the server.  All of our students have to sign a 
confidentiality agreement as part of their employment too, which does give you some legal coverage if something should 
happen.  It's also a best practice to avoid giving students access to data that with a high level of sensitivity as 
well.  Hope that helps!  If you'd like more details on our set up I'd be happy to share offline.

-Derek

=====================
Derek Spransy
IT Security Lead
Emory College of Arts & Sciences
derek.spransy () emory edu
=====================
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bazeley, Joseph 
E. [bazeleje () MUOHIO EDU]
Sent: Monday, June 01, 2009 5:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student workers & shared drive restrictions

I'm the original poster, and I'm trying to replace trade one problem for another one.  Currently I have areas where 20 
student workers all share a set of credentials which they use when working.  The main difference between their regular 
ID and this one is that this one maps a department share instead of their regular drive mappings.

I want to move away them away from using these shared accounts, with my end goal being accountability.  I want to be 
able to tie an action performed by a given account to a specific person, instead of a group of people.  The pushback 
that I'm getting is that student workers will have access to the departmental shared drives outside of work, and will 
copy files that they should not have.  This is not a very good argument, as the students could copy the files while at 
work through multiple different methods (USB, our WebDAV shares, email, etc).

In order to gain the accountability that I'm looking for, I need to provide a method that will be computer-aware in 
determining which drives to map.  So when a student worker logs in to one of the machines in the department offices 
they work in, only the department share is mapped.  And when they log in anywhere else on campus, only their personal 
share is mapped.

I think that either of the two solutions I've seen before might work in our environment, but if there are other 
solutions being used at other schools I'd like to hear about them.

Joe

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis 
Kletnieks
Sent: Monday, June 01, 2009 2:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student workers & shared drive restrictions

On Mon, 01 Jun 2009 14:01:17 EDT, Brad Judy said:
> What about simply using the host firewall on the file server to only allow
> connections from departmental machines?  This is the typical way to resolve
> this issue and I've used it many times.

Works great, unless you have other shares that you *do* want accessible from
other non-departmental machines (consider the case where some shares are
accessible via VPN connections, for instance).

A related question would be:  What sort of misbehavior is the original poster
trying to prevent by only allowing access when they're using computers in the
department?  Hopefully those systems don't have any user-accessible USB ports
on them, or web or e-mail access, or any of the zillions of other ways they
could abscond with sensitive information while logged in on the departmental
computer...

(I'm not saying the original poster doesn't have a legitimate business need,
I'm just an idiot and not understanding the problem he's trying to solve yet).

This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information.  If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.

If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).