Don Munyak <[EMAIL PROTECTED]> wrote: > Me too. There a GREAT paper located at first.org ( > http://first.org/resources/guides/#bp11 ).
Yes, I'm familiar with it, among the NSA and other papers. But it's good to see it recommended here for others (even if a tad OT). > If you follow the steps word-for-word...you will lock down the > box so tight, not even a west virginia teen-ager would complain. Oh, gotta remember that one (in-laws are from WV ;-). > Currently each machine is in a workgroup, not domain with no DC. That can be good and bad. Good in the fact that you can disable a lot of RPC services and harden the system well. Bad in the fact that if you still use select RPC services (like SMB), you are less secure because you're not using things like Kerberos ticketing, etc... > They are essentially stand-alone servers. 2 Questions ... 1) How are you handling cross-server authentication? I'm curious because you're talking about using LDAP on OpenFiler -- but you have no ADS. You actually don't need LDAP to do authentication to Windows, you can use NTLMv2 -- although that opens a RPC service. 2) How are you handling cross-server user/group mapping then? In UNIX, you can do all sorts of mapping without Winbindd. Or you can use Winbindd without ADS, but that again opens up a RPC service. I really need more detail to help you further. I'm trying to figure out what you want out of LDAP? Authentication? User/group mapping? Both? > I disabled just about all the serivices I could without > sacrificing useability. I went one step further to configure > an IPSEC policy for limiting traffic ingress/egress. That helps, although sometimes Microsoft just _disables_ IPSec without telling you (long story). > Thanks...I will search the Netscape / Fedora doc's > ... > No..explained above. No Domain trusts, trees, forests...etc So I'm back to being curious about #1 and #2 above. What do you want out of LDAP? Just authentication? User/group mapping? > Currently doing NTLMv2 after tweaking security policy in Local > Security MMC. Okay, that's what I assumed. You can use PAM directly to authenticate via NTLMv2. > Thanks again. Since I just finished loading a test box with > OpenFiler, I will look at share level access first before > implementing LDAP on the OpenFiler box. I guess question #3 is if you are using SMB for shares on Windows? It would really help to know what you're using the Windows servers for! ;-> Just Terminal Services / Citrix? File services via SMB? Other? That's really _everything_ to your design consideration and [possible] use of OpenFiler. -- Bryan J. Smith Professional, Technical Annoyance [EMAIL PROTECTED] http://thebs413.blogspot.com ----------------------------------------------------------- Americans don't get upset because citizens in some foreign nations can burn the American flag -- Americans get upset because citizens in those same nations can't burn their own _______________________________________________ Openfiler-users mailing list [email protected] https://lists.openfiler.com/mailman/listinfo/openfiler-users
