On Fri, 15 Mar 2002, Boosten, Peter wrote:
> Right now we have 18000+ users, of which 6000+ are allowed to browse the
> internet. They have to authenticate via ncsa. The problem is, that some of
> them share their account with other (non-authorized) users, and the problem
> is growing. We have a security-policy for this kind of behaviour, but no-one
> doesn't seem to care. The managingboard wants those users to authenticate
> with their NT-account, because NT-passwords will not be shared that easily
> (users could access other users personal email for instance).
SO, you put NTLM in place and assume I will not share my password with
others. Fine. I can still "share" my account. If I put a proxy capable of
authenticating with your squid on my NT box, I can still share my access.
No one but me need know my username/password. Anyone can use my proxy.
Your efforts to stop me sharing have just failed.
This is a managment problem. You need to check your logs for "407"
responses and try to work out which ones are multiple uses of the same
username/password and which are just users stopping and restarting their
browsers.
You can slow the users down if you used a more rigorous password scheme
like challenge/response or single use passwords. This unfortunately won't
stop those users smart enough to put a proxy on their pcs.
A very similar thread was actually discussed a couple of days ago. There
isn't a lot you can do. Whatever you do will be overcome by smart users.
One thing you can do that might annoy them though is to limit the number
of connections per user. That might make the "unofficial" proxies slow
enough to be painful and frustrating to use. If you suspect someone of
sharing, try rate-limiting them. Slow them down. Annnnoy them out of
existence. If they're breaking the rules, they're unlikely to complain.
Colin
Received on Sun Mar 17 2002 - 15:23:03 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:57 MST