Re: Student workers & shared drive restrictions

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

I understand your pain as many probably do.  We've had similar hurdles. 
IMHO, the real problem is two-fold.  

1) Students are assigned tasks with access to things that they really
shouldn't have access to as non-official workers- or that should be done
by FTEs on the basis of accountability alone.  
2) Departments shares are not appropriately maintained so that data within
shares is structured well so that less secure parts of the share (group
folder) only contain appropriate data that is accessible by everyone.

Both these issues are actually user-generated issues and don't have real
good technology solutions in general.  

Suggestions
----------------
One thing you could possibly consider (is to give the students local
machine accounts on the appropriate computers  and simply allow those
local machine accounts access to the server share.  Of course you lose A/D
management so that's not the best idea either.

If you do have a well segmented network, you could simply do this with
firewalls and routing as one person mentioned, but this can lack granular
security when students roam.

Finally you might consider giving the students special-use A/D accounts
that you only allow to login to those specific machines, during specific
hours (Ex, 8-5pm).  Then, when they're working, they don't login as  their
usual jdoe123- they instead use jdoe123atwork. You retain central
management, you can pre-set expiration dates if you know how long the
students will work, and you can easily use group management to find out
exactly where the students are.  I would recommend using a special prefix
so that you can quickly identify where these accounts are throughout the
enterprise.

Sorry don't have any better ideas at the moment, but this really is
technology trying to handle people issues.

Dexter Caldwell
Furman University


The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> I'm the original poster, and I'm trying to replace trade one problem for
> another one.  Currently I have areas where 20 student workers all share a
> set of credentials which they use when working.  The main difference
> between their regular ID and this one is that this one maps a department
> share instead of their regular drive mappings.
>
> I want to move away them away from using these shared accounts, with my
> end goal being accountability.  I want to be able to tie an action
> performed by a given account to a specific person, instead of a group of
> people.  The pushback that I'm getting is that student workers will have
> access to the departmental shared drives outside of work, and will copy
> files that they should not have.  This is not a very good argument, as
> the students could copy the files while at work through multiple
> different methods (USB, our WebDAV shares, email, etc).
>
> In order to gain the accountability that I'm looking for, I need to
> provide a method that will be computer-aware in determining which drives
> to map.  So when a student worker logs in to one of the machines in the
> department offices they work in, only the department share is mapped. 
> And when they log in anywhere else on campus, only their personal share
> is mapped.
>
> I think that either of the two solutions I've seen before might work in
> our environment, but if there are other solutions being used at other
> schools I'd like to hear about them.
>
> Joe 
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis Kletnieks
> Sent: Monday, June 01, 2009 2:47 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Student workers & shared drive restrictions
>
> On Mon, 01 Jun 2009 14:01:17 EDT, Brad Judy said:
> > What about simply using the host firewall on the file server to only
> allow
> > connections from departmental machines?  This is the typical way to
> resolve
> > this issue and I've used it many times.
>
> Works great, unless you have other shares that you *do* want accessible
> from
> other non-departmental machines (consider the case where some shares are
> accessible via VPN connections, for instance).
>
> A related question would be:  What sort of misbehavior is the original
> poster
> trying to prevent by only allowing access when they're using computers in
> the
> department?  Hopefully those systems don't have any user-accessible USB
> ports
> on them, or web or e-mail access, or any of the zillions of other ways
> they
> could abscond with sensitive information while logged in on the
> departmental
> computer...
>
> (I'm not saying the original poster doesn't have a legitimate business
> need,
> I'm just an idiot and not understanding the problem he's trying to solve
> yet).