Announcement

Collapse
No announcement yet.

double protection

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • double protection

    Hi, I am running a AD on Server 2003. My problem is trying to create a "Black Hole" where users can deposit sensitive material - successfully done by giving them rights to write but not read. But now I want to create a system whereby it requires 2 or more users to enter passwords to allow anyone to open the files. A bit like a 2 key operation for launching a missile. The ideal is is for any 2 passwords out of 4 will allow access, but I will settle for just needing 2 passwords. I look forward to your views on how to achieve this...... I will be patient, as I have been stressing my brain for 2 weeks now and there must be a simple way of providing this type of security.

    Regards Buggered

  • #2
    Re: double protection

    I don't think that there is anything native to Windows Server that would allow you to do this. However, what comes to my mind is a web based file browsing system that would allow folks to download a file but request a username and password first. After one acceptable username/password has been entered it could then request another. In my limited experience with web programming, I think this should be possible. Now the only trick is to find someone with sufficient web programming skills or surf over to Amazon and buy Teach Yourself PHP in 24 hours.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: double protection

      RSA key would be a way to do 2 factor authentication w/ one person.

      Web based is another way to do it, but I'd build in a timer, so that if they don't enter in a second password within the time period, the session ends and they'd have to start again.
      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: double protection

        Originally posted by Wired View Post
        RSA key would be a way to do 2 factor authentication w/ one person.
        Or maybe one person could know the password and another person would hold the smartcard?
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: double protection

          That could work as well. Or, fingerprint authentication.
          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: double protection

            Thanks everyone so far for your views........ am feeling a little better now that you all appear to be suggesting it isn't as simple as it would first appear. I don't know if this approach is worth investigating...... batch file or script that requires 2 separate passwords to be input to allow it to run, calling a rubroutine that uses runas (user with single read access to folder) explorer /separate. I have also thought of nesting a folder inside the "BlacK Hole" with a different superuser having access to that folder.

            Runas with /separate will request a password and if using explorer as the program allow the user originally logged in to copy the file to their folders and read it, or word /separate allow them to open it from the Black Hole.

            Unfortunately the script appears to need the superusers name to be entered in the runas statment, although the password doesnt. As the admin for the network I can of course log in as the superuser and change the password if I so wished - I want to also prevent suspician of my be able to snoop. How about a script to log access to the Black Hole saved as a text file in an accessible folder?

            Your thoughts and views are very much appreciated
            Buggered

            Comment


            • #7
              Re: double protection

              Originally posted by Nonapeptide View Post
              Or maybe one person could know the password and another person would hold the smartcard?
              I would like to avoid the need for USB Drives etc - have finally got a policy in place prohibiting the use of external media/devices to protect our system security. Part of the plan also needs to allow for the unavailability of a person.... ie password holder dies..... we still need to be able to access the files. So its high security, but with fall back protection.

              Thanks

              Comment


              • #8
                Re: double protection

                Originally posted by bugguard View Post
                I would like to avoid the need for USB Drives etc - have finally got a policy in place prohibiting the use of external media/devices to protect our system security. Part of the plan also needs to allow for the unavailability of a person.... ie password holder dies..... we still need to be able to access the files. So its high security, but with fall back protection.

                Thanks
                Well... you could have a user write his password on a piece of paper, put it in a security envelope, seal it and sign their name across the upper and lower part of the seal. Then drop the envelope in your company's vault / bank security box. Only open it in case of the user becoming dismissed, deported or deceased.

                Of course I do realize how ridiculous this suggestion is... but then again, I've heard of worse scenarios. Doesn't SharePoint have this kind of access rule creation where multiple managers can be petitioned for approval before a document is released? I've never had much experience with SP.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: double protection

                  Explain WHY you want to do this. Maybe someone has done something similar, but didn't use "double protection".
                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: double protection

                    Originally posted by Wired View Post
                    Explain WHY you want to do this. Maybe someone has done something similar, but didn't use "double protection".
                    We require a secure area on a server, where members of Staff and Management can store information of an important or Highly Confidential nature, that may be required at some point in the future. We do not currently have anything that would fall into this category, but perhaps an example might be "minutes/evidence of Board Members behaving in an inappropriate manner of a personal nature - which if made available would affect their lives - but, needed to be recorded should the allegations ever be brought into the public domain." So, we wish to restrict access to those files once placed there, and by forcing/requiring 2 or more people to give their consent to the files being accessed - prevents any one person being able to view the confidential info, without someone else in management knowing about it.

                    My latest thought is an expiring password, and requiring a request from management for access - a new password for the "God" account will be entered on the server (password created by 2 people - half each) by myself, and the new password given to the person who needs to log in as "God". The "God" account would be disabled at all other times, and only used to access the files in the "Black Hole". An audit trail of logging in and password changes stored in the "Black Hole" would be a nice touch!

                    Comment


                    • #11
                      Re: double protection

                      An admin could always find out the password or reset it so you still have one person that can access it. Even if you can audit it.

                      You could look at something like truecrypt (or similar). Create an encrypted file, drop the files etc into it, password protect it with half the password known by each person and then save it. Of course if someone forgot their half....

                      Or write the two halves seperately password in a sealed envelope and do like Nonapeptide says?
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: double protection

                        how about this...

                        if you had four users i would allow two of them access to the folder and the other two the password(s) to the document(s).

                        if you decide to go the web route here's a basic javascript example http://javascript.internet.com/passw...pt-source.html
                        If the information you receive helps please let us know and leave reputation points where appropriate.

                        The good news about computers is that they do what you tell them to do. The bad news is that they do what you tell them to do. - Ted Nelson

                        Comment


                        • #13
                          Re: double protection

                          Sounds to me like you need to create a folder somewhere and restrict who actually uses it.

                          We have a secure area on our servers that is solely locked down using NTFS permissions. No-one can access the folder unless you get added to a specific group and even then we need permission from the CEO for it to happen.

                          I can't think of anything off hand that would help you password protect the folders but shouldn't this sort of thing be handled by HR anyway.

                          Comment


                          • #14
                            Re: double protection

                            Originally posted by wullieb1 View Post
                            Sounds to me like you need to create a folder somewhere and restrict who actually uses it.

                            We have a secure area on our servers that is solely locked down using NTFS permissions. No-one can access the folder unless you get added to a specific group and even then we need permission from the CEO for it to happen.

                            I can't think of anything off hand that would help you password protect the folders but shouldn't this sort of thing be handled by HR anyway.
                            That is exactly my situation - the only problem is - as the IT Officer, Network Admin, etc..... I have access to the Servers and can give access to anyone, including myself. By introducing passwords that are only known by 1 person to protect the contents has 2 negatives - that person can access the data whenever they want and for whatever reason - if that person dies, how do you then get access to the data.

                            Perhaps the password in the safe is the easiest option!

                            Comment


                            • #15
                              Re: double protection

                              Originally posted by bugguard View Post
                              That is exactly my situation - the only problem is - as the IT Officer, Network Admin, etc..... I have access to the Servers and can give access to anyone, including myself. By introducing passwords that are only known by 1 person to protect the contents has 2 negatives - that person can access the data whenever they want and for whatever reason - if that person dies, how do you then get access to the data.

                              Perhaps the password in the safe is the easiest option!
                              But that then all comes down to trustting your IT staff member.

                              As the admin you pretty much access anything you want when you want and the board memebrs need to trust you to use you proffesional responsibilities to stay away from sensitive data unless you are called upon.

                              You could enforce a polcicy of some sort then enable auditing on the folder and report access attempts on a weekly basis.

                              Comment

                              Working...
                              X