Charlie's advice is dead-on. My question to you, Chris, is why are *you* having to fight this? Shouldn't the security team naturally be the ones championing it?
*ASB *(My XeeSM Profile) <http://XeeSM.com/AndrewBaker> *Exploiting Technology for Business Advantage...* * * On Mon, Dec 27, 2010 at 12:44 PM, Christopher Bodnar < [email protected]> wrote: > Wow, it's almost like you know the place! (LOL) > > > Chris Bodnar, MCSE > Systems Engineer > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 > > > > From: "VIPCS" <[email protected]> > To: "NT System Admin Issues" <[email protected] > > > Date: 12/27/2010 12:39 PM > Subject: RE: OT: NTL M and bootable DOS CD > ------------------------------ > > > > And if you had know about this issue before they began their current > deployment, and told them they needed to re-engineer their process, they > would have had some excuse why they could not do it then. > > (Second law of thermodynamics – simplified form – You cannot win. You > cannot break even. It even applies to IT.) > > Sincerely, > > Jeffrey and Mary Jane Harris > VIPCS > > > ------------------------------ > > *From:* Christopher Bodnar > [mailto:[email protected]<[email protected]>] > * > Sent:* Monday, December 27, 2010 12:31 PM* > To:* NT System Admin Issues* > Cc:* NT System Admin Issues* > Subject:* Re: OT: NTL M and bootable DOS CD > > I'm definitely going to try and fight this, from a security perspective > it's a no brainer. The issue will be that the desktop group will say this > will push back the deployment of existing systems by a month while they > engineer a new process. Almost no way to fight that unless our group is > willing to take over the responsibility of doing that work, which we could > easily do. Just hate knowing that those guys will put up this road block on > something that should take them less than a day to do. I'd love for their > management to step in and say " you know what? You are right. we need to > redo this process and it's not going to take us a month to do it. we'll have > it done by end of the week!" Never going to happen. > > > > > Chris Bodnar, MCSE > Systems Engineer > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 > > > > From: Kurt Buff <[email protected]> > To: "NT System Admin Issues" <[email protected] > > > Date: 12/27/2010 11:37 AM > Subject: Re: OT: NTL M and bootable DOS CD > > ------------------------------ > > > > > Uh, you've already proved that your way works. > > I'd call a meeting, go over their setup with them and identify the > points that need improving. > > I'll bet that the re-engineering isn't really all that much, and that > the end result will actually be faster and better installs. > > Kurt > > On Mon, Dec 27, 2010 at 07:32, Christopher Bodnar > <[email protected]> wrote: > > Sorry, just venting: > > > > OK, so we implemented our new SCCM infrastructure about 9 months ago (all > > W2K8 servers). Almost done with the migration from our old SMS 2003 > > infrastructure (W2K3 R2 servers). I get a request from our desktop guys > last > > week to create a few shares on the new SCCM servers to hold the > workstation > > images. No problem. So I get a call from the desktop guys saying they > can't > > access the new shares. I ask them how they are being accessed. They say > from > > a bootable DOS CD. I thought them meant WinPE, so I tested that, and > > verified there are no issues. Go back to the desktop guys and they say, > no > > it's really DOS 6.22 using NDIS 2.0. So I start looking into it and found > > that the old SMS servers have a GPO setting that allows NTLM connections, > > the rest of the network doesn't. I was not aware of this. Our currently > > policy is to allow NTLMv2 only, and refuse LM and NTLM. I ask them if > they > > can move to WinPE. They tell me the engineering involved will be too much > > work. So now the question is..... do I put up a fight and go to our > Security > > group and tell them I want to keep NTLMv2, and have the desktops guys > > re-engineer the process? My guess is that I'll be over ruled, and be > forced > > to allow NTLM for the new SCCM servers. > > > > Uggghhhh......... > > > > > > > > Chris Bodnar, MCSE > > Systems Engineer > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
