11.1. Introduction Abmas is continuing its meteoric growth with yet further acquisitions. The investment community took note of the spectacular projection of Abmas onto the global business stage. Abmas is building an interesting portfolio of companies that includes accounting services, financial advice, investment portfolio management, property insurance, risk assessment, and the recent addition of a a video rental business. The pieces do not always appear to fit together, but Mr. Meany is certainly executing an interesting business growth and development plan. Abmas Video Rentals was recently acquired. During the time that the acquisition was closing, the Video Rentals business upgraded its Windows NT4-based network to Windows 2003 Server and Active Directory. You have accepted the fact that Abmas Video Rentals will use Microsoft Active Directory. The IT team, led by Stan Soroka, is committed to Samba-3 and to maintaining a uniform technology platform. Stan Soroka's team voiced its disapproval over the decision to permit this business to continue to operate with a solution that is viewed by Christine and her group as "an island of broken technologies." This comment was made by one of Christine's staff as they were installing a new Samba-3 server at the new business. Abmas Video Rentals' head of IT heard of this criticism. He was offended that a junior engineer should make such a comment. He felt that he had to prepare in case he might be criticized for his decision to use Active Directory. He decided he would defend his decision by hiring the services of an outside security systems consultant to report[1] on his unit's operations and to investigate the role of Samba at his site. Here are key extracts from this hypothetical report: [1] This report is entirely fictitious. Any resemblance to a factual report is purely coincidental.
... the implementation of Microsoft Active Directory at the Abmas Video Rentals, Bamingsham site, has been examined. We find no evidence to support a notion that vulnerabilities exist at your site. ... we took additional steps to validate the integrity of the installation and operation of Active Directory and are pleased that your staff are following sound practices. ... User and group accounts, and respective privileges, have been well thought out. File system shares are appropriately secured. Backup and disaster recovery plans are well managed and validated regularly, and effective off-site storage practices are considered to exceed industry norms. Your staff are justifiably concerned that the use of Samba may compromise their good efforts to maintain a secure network. The recently installed Linux file and application server uses a tool called winbind that is indiscriminate about security. All user accounts in Active Directory can be used to access data stored on the Linux system. We are alarmed that secure information is accessible to staff who should not even be aware that it exists. We share the concerns of your network management staff who have gone to great lengths to set fine-grained controls that limit information access to those who need access. It seems incongruous to us that Samba winbind should be permitted to be used considering that it voids this fine work. Graham Judd [head of network administration] has locked down the security of all systems and is following the latest Microsoft guidelines. ... null session connections have been disabled ... the internal network is isolated from the outside world, the [product name removed] firewall is under current contract maintenance support from [the manufacturer]. ... our attempts to penetrate security of your systems failed to find problems common to Windows networking sites. We commend your staff on their attention to detail and for following Microsoft recommended best practices. ... Regarding the use of Samba, we offer the following comments: Samba is in use in nearly half of all sites we have surveyed. ... It is our opinion that Samba offers no better security than Microsoft ... what worries us regarding Samba is the need to disable essential Windows security features such as secure channel support, digital sign'n'seal on all communication traffic, and running Active Directory in mixed mode so that Samba clients and servers can authenticate all of it. Additionally, we are concerned that Samba is not at the full capabilities of Microsoft Windows NT4 server. Microsoft has moved well beyond that with trusted computing initiatives that the Samba developers do not participate in. One wonders about the integrity of an open source program that is developed by a team of hackers who cannot be held accountable for the flaws in their code. The sheer number of updates and bug fixes they have released should ring alarm bells in any business. Another factor that should be considered is that buying Microsoft products and services helps to provide employment in the IT industry. Samba and Open Source software place those jobs at risk. This is also a challenge to rise above the trouble spot. You call Stan's team together for a simple discussion, but it gets further out of hand. When you return to your office, you find the following email in your in-box: Good afternoon, I apologize for the leak of internal discussions to the new business. It reflects poorly on our professionalism and has put you in an unpleasant position. I regret the incident. I also wish to advise that two of the recent recruits want to implement Kerberos authentication across all systems. I concur with the desire to improve security. One of the new guys who is championing the move to Kerberos was responsible for the comment that caused the embarrassment. I am experiencing difficulty in handling the sharp push for Kerberos. He claims that Kerberos, OpenLDAP, plus Samba-3 will seamlessly replace Microsoft Active Directory. I am a little out of my depth with respect to the feasibility of such a move, but have taken steps to pull both of them into line. With your consent, I would like to hire the services of a well-known Samba consultant to set the record straight. I intend to use this report to answer the criticism raised and would like to establish a policy that we will approve the use of Microsoft Windows Servers (and Active Directory) subject to all costs being covered out of the budget of the division that wishes to go its own way. I propose that dissenters will still remain responsible to meet the budgeted contribution to IT operations as a whole. I believe we should not coerce use of any centrally proposed standards, but make all noncompliance the financial responsibility of the out-of-step division. Hopefully, this will encourage all divisions to walk with us and not alone. Stan 11.1.1. Assignment Tasks You agreed with Stan's recommendations and hired a consultant to help defuse the powder keg. The consultant's task is to provide a tractable answer to each of the issues raised. The consultant must be able to support his or her claims, keep emotions to the side, and answer technically. | 