USENIX Technical Program - Abstract - LISA-NT 99
NT Security in an Open Academic Environment
Gregg Daly, Gary Buhrmaster, Matthew Campbell, Andrea Chan, Robert Cowles, Ernest Denys, Patrick Hancox, Bill Johnson, David Leung, Jeff Lwin
Stanford Linear Accelerator Center
Abstract
Stanford Linear Accelerator Center (SLAC) was faced with the need to
secure its PeopleSoft/Oracle business system in an academic
environment which only has a minimal firewall. To provide protected
access to the database servers for NT-based users all over the site
while not hindering the lab's open connectivity with the Internet, we
implemented a pseudo three-tier architecture for PeopleSoft with
Windows Terminal Server and Citrix MetaFrame technology. The client
application and Oracle database were placed behind a firewall, and
access was granted via an encrypted link to a thin client.
Authentication in the future will be through two-factor token cards.
NT workstations in the business system unit were further secured
through switched network ports and an automated installation process
that included SMB signing and disabling LM Authentication in favor of
NTLMv2. The hardened workstations then accessed the business system
through the Citrix Secure ICA client. How these security measures
affected our mixed environment (Windows9x, Samba, Transarc AFS
clients, Pathworks, developers, researchers) is discussed.
- View the full text of this paper in
HTML form and
PDF form.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.
|