• Nexus Proposal

Nexus Management Security Proposal

 

At the special October 13, 2004 WNAG meeting,  we raised four action points necessary before we can consider the proposed nexus security management proposal.  They were:

 

• GPOs - looking and changing 
• moving students, resetting passwords (for other students of other faculties) 
• Norton/Symantec Antivirus 
• perfecting simple workstation installation process 
• resolving issues of defining policies, such as for particular areas, or for laptops 
• understanding and recognizing the needs of multiple faculty units 

 

---

 

GPOs

 

There are two parts to this solution.

 

GPOMC allows anyone with read privileges the ability to view and copy existing GPOs.  This utility is new with Server 2003.  What it does not do is allow you to edit other people's GPOs... or more importantly, edit GPOs you created with your previous !! account.  Hon and Nevil have verified this.

 

However, using a new feature of ADMAN, we can overcome that limitation.  We simply change the ownership of GPOs to your account, or to a general management account within your OU so that all your departmental managers can edit it.  These accounts must also be members of "neuxs GPO creator group".  This gives us an easy migration path.  (Erick)

 

Moving Students and Changing Passwords

 

This is doable, Nevil has tested it with Science students.  We need to set up a group which covers all student areas - work in progress (Hon).

 

Norton/Symantec Antivirus 

 

Nevil has tested it.  He can install NAV through clipper with no problems, check the logs etc.  He can check the virus logs etc on machines not in his area as well (he chose

one in science).  He did not try installing to another area.

 

There are some more esoteric NAV operations which people also have to be able to perform. These would include creating new policies to manage certain workstations with special NAV policies.  This works like a charm if one uses the MMC console running with OU privilges on your workstation.  It does not work if you attempt the same operation from Clipper, because you are not as privileged there.  (Hon demonstrated this).

 

Faculty Representation

 

The issues of fairness to faculties, perceptions in client areas, and overal security are things we must discuss and eventually resolve at WNAG.

 

We did already vote on the quantity of emergency accounts, arriving at four.  It was agreed that two are predetermined by job descriptions (Hon and Erick), and two others should be chosen from other campus units other than Engineering Computing.

 

Some options people have suggested (in no particular order, my toned-down wording):

• seven emergency accounts, one per faculty, recognizes equality of faculties
• four emergency accounts, with two of them rotating through all WNAG reps (perhaps including the rotating ESAG rep)
• four emergency accounts based on technical criteria, ignore politics
• any others???

 

 

 

---

Updated Nov 19,2004

Erick Engelke