This is similar to the solution I was thinking of as well. It only costs you a firewall and the full protection of a single machine. I wouldn't even give full access to this box to production, it would allow HTTP access to it. Someone checks a file in on the lab side, you check it out on the prod side. Ditto but in reverse to get something from prod to dev.
I was just telling my team this this last week. You have a see-saw, on one side is security, on the other is flexibility/useabilty. You need to decide which side should be focused on. If you have to have the flexibility and useability you have to sacrifice security. If you are sane, you choose security and sacrifice flexibility and useability. Just because people are used to having full access doesn't mean it should continue or that it makes sense. It is something that has been pushed due to how MS trains admins and Developers (MC* programs) and there own software and with how the environment has evolved with third party stuff. I know I beat on E2K a lot, but it is a great example of a poor directory integrated poor security app. I recall when I got the instructions for how to separate the administrators of Exchange and AD... I looked down the list, you had multiple ways to do it. First was to give property sets and add a bunch of deny's, the other was to add a bunch of individual grants. Either way really goes against the recommendation of managing your directory security well because it is confusing plus you don't want a bunch of ace's on your objects. Additionally one of the attributes that was to be delegated was the nTSecurityDescriptor... Heh Game over. It is only recently that true security has started to become something that less than a minority on Windows is becoming aware of. You know me, I have always been paranoid about it. It is good to see the rest of the world starting to show up at that party (though I ate all the peanuts and drank all the beer already so BYOB). Additionally, I think it is not only silly, not only dangerous, but outright stupid to allow people to pull something directly from dev or the lab into the production environment without some form of logged process in between. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran Sent: Friday, October 17, 2003 3:01 PM To: [EMAIL PROTECTED] <SNIP> Well, I still think you could work it out with an intermediate machine. Just put a Server in between the two networks with two interfaces on it. Load it up with all the virus protection you can find (most server-based virus protection will check incomming and outgoing files as they are up/downloaded) and keep the machine updated with all patches/etc. Then set it up so the only way to get files from production to lab is to copy them on to this server first. It's a little annoying for the people copying the files ("Damn ... I forgot to copy this to the transfer server from the lab") but I would say that this is where you've got to draw the line if you want have any level of safety/protection whatsoever. <SNIP> List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
