[unisog] - data tool

Paul FM paulfm at me.umn.edu
Sun May 10 14:23:53 GMT 2009

The only sure way is to have an administrator run a machine with the file 
share (Windows or Samba) who is in the group of people who need access.

Keep in mind that having administrative control of any of the machines 
involved (authentication server, file server, or client) effectively gives 
the sysadmin a path to access the data.  It is very easy (just one exammple) 
to use cygwin tools to start a xterminal to a specific machine when a user 
logs in - this can be done without actually installing the cygwin tools - you 
can cause this either by modifying the run key on the client, or changing the 
user's login script on the authentication server).  And of course - if you 
set up the server and file share, could easily get at the data (even an 
encrypted data share can have a backdoor added when it is created).  Even 
OpenAFS (which would be able to serve your needs) suffers from all these 
basic security issues.

To get around some of the above security issues, yOu could use A windows 
Terminal server to host the data - then all access to the data would have to 
be by interactive login to that Server - of course it would have to be 
dedicated for only that purpose (you would only need licenses for the 
individual users using the WTS and authentication could be self contained). 
But you would still need a trusted administrator to run it (preferably 
someone in the group with help from a regular administrator).  However, 
getting a keylogger (program or hardware) on any of the client machines could 
still get a user and password needed to log into the Terminal Server.

If this is a real absolutely secure requirement - you would need a room, that 
only the users are even allowed to enter, of isolated computers (no network 
connections except to each other) with a file server (and one of the users 
would have to run all the machines).  Note: this could even be done with 
Windows 98 - as the security is completely controlled by physical access.

Christoph Sprongl wrote:
> Hi,
> looking for a tool either encryption or good ACLs unfortunatly for a
> Microsoft env., to make sure that only a specific group can share
> documents.
> Objective is that a sysadmin is really not able to look into the data.
> TrueCrypt encrypts containers, only one person can access the data.
>  FreeOTFE does have problems if data got accessed parallel -> data corrupt.
> Any ideas more than welcome!
> christoph
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list