Re: Student workers & shared drive restrictions

["Bazeley, Joseph E." <bazeleje () MUOHIO EDU>]

I'm the original poster, and I'm trying to replace trade one problem for another one.  Currently I have areas where 20 
student workers all share a set of credentials which they use when working.  The main difference between their regular 
ID and this one is that this one maps a department share instead of their regular drive mappings.

I want to move away them away from using these shared accounts, with my end goal being accountability.  I want to be 
able to tie an action performed by a given account to a specific person, instead of a group of people.  The pushback 
that I'm getting is that student workers will have access to the departmental shared drives outside of work, and will 
copy files that they should not have.  This is not a very good argument, as the students could copy the files while at 
work through multiple different methods (USB, our WebDAV shares, email, etc).

In order to gain the accountability that I'm looking for, I need to provide a method that will be computer-aware in 
determining which drives to map.  So when a student worker logs in to one of the machines in the department offices 
they work in, only the department share is mapped.  And when they log in anywhere else on campus, only their personal 
share is mapped.

I think that either of the two solutions I've seen before might work in our environment, but if there are other 
solutions being used at other schools I'd like to hear about them.

Joe 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Valdis 
Kletnieks
Sent: Monday, June 01, 2009 2:47 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student workers & shared drive restrictions

On Mon, 01 Jun 2009 14:01:17 EDT, Brad Judy said:
> What about simply using the host firewall on the file server to only allow
> connections from departmental machines?  This is the typical way to resolve
> this issue and I've used it many times.

Works great, unless you have other shares that you *do* want accessible from
other non-departmental machines (consider the case where some shares are
accessible via VPN connections, for instance).

A related question would be:  What sort of misbehavior is the original poster
trying to prevent by only allowing access when they're using computers in the
department?  Hopefully those systems don't have any user-accessible USB ports
on them, or web or e-mail access, or any of the zillions of other ways they
could abscond with sensitive information while logged in on the departmental
computer...

(I'm not saying the original poster doesn't have a legitimate business need,
I'm just an idiot and not understanding the problem he's trying to solve yet).