NT Security in an Open Academic Environment

Stanford Linear Accelerator Center (SLAC) was faced with the need to secure its PeopleSoft/Oracle business system in an academic environment which only has a minimal firewall. To provide protected access to the database servers for NT-based users all over the site while not hindering the lab's open connectivity with the Internet, we implemented a pseudo three-tier architecture for PeopleSoft with Windows Terminal Server and Citrix MetaFrame technology. The client application and Oracle database were placed behind a firewall, and access was granted via an encrypted link to a thin client. Authentication in the future will be through two-factor token cards. NT workstations in the business system unit were further secured through switched network ports and an automated installation process that included SMB signing and disabling LM Authentication in favor of NTLMv2. The hardened workstations then accessed the business system through the Citrix Secure ICA client. How these security measures affected our mixed environment (Windows9x, Samba, Transarc AFS clients, Pathworks, developers, researchers) is discussed.