Announcement

Collapse
No announcement yet.

Implementing Security through AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Implementing Security through AD

    We have a 25 client network with ADS and a Central file server containing very sensitive information. Want to implement the following security scenario:

    Named users when they login will have full access to predetermined 'sensitive' folders on the Central file server. They will also have read only access to a common folder on the file server. They will not have access to internet, and emails can be sent only to predefined email ids.

    Apart from named users, there are generic ids like internet01, internet02, and so on. When the user logs in with these generic ids, they will not have access to any of the sensitive folders. They will have read and write access only to the common folder. They will have full access to the internet and unrestricted access to emails.

    Is this technically feasible? If yes, what are the additional software (apart from ADS) that will be required - preferably open source, but not necessarily.

    Any help will be appreciated. Seemed like a simple idea during the discussion stage, but have not been able to find the right way of implementing it

  • #2
    Re: Implementing Security through AD

    Essentially, yes for files, through NTFS permissions
    Rough process (but PLEASE read up on it and test
    1) Create two groups in AD "Sensitive" and "Everything" (or whatever names you want)
    2) Add users to groups
    3) Go into sensitive folders and change security permissions -- remove inheritance, remove "users", "everyone" and similar (but NOT System and probably not admins
    4) Add "Sensitive" group wuith modify permission
    5) Go to common folders, repeat 3
    6) Add "Sensitive" with read permission and "Everything" with modify permission

    For internet you will need to implement some sort of proxy server
    For email, you can do what you ask with Exchange if you are using it
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Implementing Security through AD

      Thanks Ossian.

      What proxy server would you suggest that would work seamlessly with AD.

      Also, is MS Exchange the only option -- or is there any open source equivalent that could work in this scenario with AD?

      Thanks once again for your help.

      Comment


      • #4
        Re: Implementing Security through AD

        For a proxy, really you have to go Microsoft -- Forefront TMG is the product to look at
        There are many other mailservers (without the full functionality of Exchange) but you will need to check if they offer restrictions by group -- nothing springs to mind.

        IMHO implement the file access immediately and put procedures in place to discipline users not behaving with email and internet -- get Management / HR backing for what you are doing
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment

        Working...
        X