Re: privilege timeout
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/30/04
- Next message: hayden hill: "Same Internet Domain and AD Domain Name"
- Previous message: Ace Fekay [MVP]: "Re: CSVDE"
- In reply to: Chris: "privilege timeout"
- Next in thread: Doug Frisk: "Re: privilege timeout"
- Reply: Doug Frisk: "Re: privilege timeout"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 29 Dec 2004 23:02:36 -0700
In addition to both valid responses so far, I believe that
you should address with those specifying this requirement
that it is, although not totally useless, window-dressing of
sorts. The client machine security, and/or digital rights
contraints on the documents, should be addressed.
You can go through hoops trying to effect object of your
initial posting but still have not addressed fact that they
can copy all docs to which they have access onto their
desktop/laptop and then walk off leaving that client and
the sensitive docs available to those that walk past.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Chris" <Chris@discussions.microsoft.com> wrote in message news:FF2890B6-A2A3-4D7A-9419-C48EFA35B647@microsoft.com... > I am trying to configure a handful of Windows file servers to timeout user > connections (like mapped drives) after a certain amount of idle time and make > the user reauthenticate after that time is up. This is trying to mitigate the > problem where a user authenticates to a sensitive file server and then walks > away from the computer. I do not want to have their computer automatically > lock itself...I just want that session to the sensitive file server to > timeout and require reauthentication. > > My first thought was to have the user's kerberos tickets expire if they're > logged on as a domain user. I was able to change the domain GPO to > successfully get the tickets expiring, however, the session tickets were > automatically reissued if the user tried to connect to the same file server > after the ticket expired. Is this due to any sort of credentials caching > that can be disabled? (sort of like q299656, perhaps?) Again, my goal is to > have these session tickets expire and make the user reauthenticate to > generate them again, but I do not want the user to get logged out of their > local domain login session. > > If the above problem could be solved that would at least solve some of my > problems. However, my corporation needs to be able to support employee's > accessing these file servers from personal laptops that are not part of the > domain either locally or remotely through VPN. I understand that in these > cases NTLMv2 is used instead of Kerberos for authentication. Is there anyway > to get Kerberos authentication to work in these situations (the user is > logging on from a non-domain computer, though they will authenticate using > their domain user account) using either built-in Windows Kerberos support or > some third party option (MIT's Leash for example)? If not, is there anyway > to get sessions authenticated using NTLMv2 to timeout and require > reauthentication? > > Thanks in advance for your help! > > Chris >
- Next message: hayden hill: "Same Internet Domain and AD Domain Name"
- Previous message: Ace Fekay [MVP]: "Re: CSVDE"
- In reply to: Chris: "privilege timeout"
- Next in thread: Doug Frisk: "Re: privilege timeout"
- Reply: Doug Frisk: "Re: privilege timeout"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
