Mixed enviroment security 2

[clocktower]

I am new to the forum so please have patience with me. In my environment we have both Apples and PCs as well as Apple Servers and NT servers. Being the new guy here I have been thrown into the Sarbanes-Oxley issue of getting all the computers to comply with the security issues. What I would like to see is all computers logging into one server (preferably active directory).

Is this a possibility or is it just a pipe dream?

Other factors:

Apple OS’s 8.6 to X

Windows OS’s 98 to XP

Budget – low to non existant

 

[markdmac]

If security is a concern then you need to dump the 98 boxes. There is no security built into it, you can bypass login by hitting escape!

Upgrade all of your Mac clients to the latest OS. Your older Macs won't play well, but the OS X machines can actually be joined to the domain.

1. Open '/Applications/Utilities/Directory Access.app.

2. Enable the Active Directory service.

3. Configure the Active Directory service as follows:

Active Directory forest -- 'example.com'

Active Directory domain -- 'example.com' or
'childdomain.example.com'

Computer ID -- Enter the host name of the computer.

Cache last user logon for offline operation -- Checked.

Authenticate in multiple domains -- Depends on whether you
want to allow cross-domain authentication.

Prefer this domain server -- Unfortunately, until the computer
account has time to replicate to all domain controllers in
the domain, configure the client to only communicate with one
of the domain controllers, e.g. 'dc1.example.com'.

Map UID to attribute -- NOT checked. I haven't figured out
how to make this work without extending the Active Directory
schema. If you already use Services for Unix, you can map
the UID to the 'uid' attribute (created by SFU's NIS
component).

Allow administration by -- For example, 'EXAMPLE\Domain Admins'.

4. Click the Bind button, enter the user name and password of
someone who has rights to create computer accounts in Active
Directory, and change the OU to where you want the account
created,
e.g. OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=example,DC=com
(for those of us running Windows Small Business Server 2003).

5. Change the authentication search path to 'Custom path' and add
'/Active Directory/example.com'.

6. Restart the computer.


I hope you find this post helpful.

Regards,

Mark

 

[clocktower]

Thanks for the info Mark.

I know the problems with 98 (this isnt my first AD) and thoes machines will be going away soon.

The biggest problem is with the older Apple OS's - I just dont see a way with thoes will work with AD. Upgrading would be too cost prohibitive. (little to no budget this year)

 

[markdmac]

Your best course of action then is to simply document that these machines will not comply. Let the higher ups find the money. let them know that the cost of an audit is far more expensive than the upgrades.

I hope you find this post helpful.

Regards,

Mark

 

[kmcferrin]

Mark is dead on here. You can't give someone a project to magically make you compliant with Sarbanes-Oxley, HIPAA, or even ISO certified and not give them any budget to work with. Step 1 is to simply document the situation as it currently exists. Then identify key challenges/problem areas (Win98, MacOS, etc). Then identify or rank the importance of remediating those problems. Finally identify the total cost of remediating each problem, piece by piece. Identify if there are multiple methods of making each system compliant. Going to a single directory services structure might make the most sense, but there may be a cheaper way to achieve compliance.

Since you are presumably in-house support, the analysis/info gathering stage shouldn't have much additional associated cost, but it will give you a good idea of what your options are and the consequences of those options. You may not be able to get all of the funding that you want, but you may be able to get significant part of what you need.