So you lay out the security issues and let management decide which is appropriate. If you document it correctly, then if they approve the NTLM, they know they are approving an additional security risk. In a regulated environment, that alone sometimes tips the scales.
You also provide the solution for the desktop team; i.e., "utilize current PE boot media to make network connections" etc... By showing that there is an industry-standard solution, it puts the burden back on them to explain why they're still using old technology. And then if management rules against you you flip the bit and move on. :-) Of course, you keep copies of all the documentation... :-) *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: Christopher Bodnar [mailto:[email protected]] > Sent: Monday, December 27, 2010 10:31 AM > To: NT System Admin Issues > Cc: NT System Admin Issues > Subject: Re: OT: NTL M and bootable DOS CD > > I'm definitely going to try and fight this, from a security perspective it's a no brainer. > The issue will be that the desktop group will say this will push back the deployment of > existing systems by a month while they engineer a new process. Almost no way to fight > that unless our group is willing to take over the responsibility of doing that work, which we > could easily do. Just hate knowing that those guys will put up this road block on something > that should take them less than a day to do. I'd love for their management to step in and > say " you know what? You are right. we need to redo this process and it's not going to > take us a month to do it. we'll have it done by end of the week!" Never going to happen. > > > > > Chris Bodnar, MCSE > Systems Engineer > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 > > > > From: Kurt Buff <[email protected]> > To: "NT System Admin Issues" <[email protected]> > Date: 12/27/2010 11:37 AM > Subject: Re: OT: NTL M and bootable DOS CD > > ________________________________ > > > > > Uh, you've already proved that your way works. > > I'd call a meeting, go over their setup with them and identify the > points that need improving. > > I'll bet that the re-engineering isn't really all that much, and that > the end result will actually be faster and better installs. > > Kurt > > On Mon, Dec 27, 2010 at 07:32, Christopher Bodnar > <[email protected]> wrote: > > Sorry, just venting: > > > > OK, so we implemented our new SCCM infrastructure about 9 months ago (all > > W2K8 servers). Almost done with the migration from our old SMS 2003 > > infrastructure (W2K3 R2 servers). I get a request from our desktop guys last > > week to create a few shares on the new SCCM servers to hold the workstation > > images. No problem. So I get a call from the desktop guys saying they can't > > access the new shares. I ask them how they are being accessed. They say from > > a bootable DOS CD. I thought them meant WinPE, so I tested that, and > > verified there are no issues. Go back to the desktop guys and they say, no > > it's really DOS 6.22 using NDIS 2.0. So I start looking into it and found > > that the old SMS servers have a GPO setting that allows NTLM connections, > > the rest of the network doesn't. I was not aware of this. Our currently > > policy is to allow NTLMv2 only, and refuse LM and NTLM. I ask them if they > > can move to WinPE. They tell me the engineering involved will be too much > > work. So now the question is..... do I put up a fight and go to our Security > > group and tell them I want to keep NTLMv2, and have the desktops guys > > re-engineer the process? My guess is that I'll be over ruled, and be forced > > to allow NTLM for the new SCCM servers. > > > > Uggghhhh......... > > > > > > > > Chris Bodnar, MCSE > > Systems Engineer > > Distributed Systems Service Delivery - Intel Services > > Guardian Life Insurance Company of America > > Email: [email protected] > > Phone: 610-807-6459 > > Fax: 610-807-6003 ----------------------------------------- This message, > > and any attachments to it, may contain information that is privileged, > > confidential, and exempt from disclosure under applicable law. If the reader > > of this message is not the intended recipient, you are notified that any > > use, dissemination, distribution, copying, or communication of this message > > is strictly prohibited. If you have received this message in error, please > > notify the sender immediately by return e-mail and delete the message and > > any attachments. Thank you. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ <http://lyris.sunbelt- > software.com/read/my_forums/> > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> > ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > <http://lyris.sunbelt-software.com/read/my_forums/> > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ----------------------------------------- This message, and any attachments to it, may contain > information that is privileged, confidential, and exempt from disclosure under applicable > law. If the reader of this message is not the intended recipient, you are notified that any > use, dissemination, distribution, copying, or communication of this message is strictly > prohibited. If you have received this message in error, please notify the sender > immediately by return e-mail and delete the message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
