TFC management is concerned with the TFC\JIngalls
account, owned by Jeff Ingalls, and is subject to malicious internal and external attacks due to its permanent membership in the TFCAdmins
group. The TFCAdmins
group grants access to several highly confidential shares and servers. TFC management likes to utilize PAM to eliminate the permanent membership of the TFCAdmins
group, mitigating risk while still allowing Jeff to do his job.
To validate our PAM deployment works, Jeff will gain access to an NTFS-secured file through a PAM request. In the past, he could open up the file directly, but under PAM, he will need to perform an extra request step before he can access the file. To set up the scenario, a folder named TOPSECRET
on the TFCWIN10 workstation will have NTFS permissions applied to only allow access to members of the TFCAdmins
group. Once PAM is deployed, the TFC\JIngalls
account will not be in the TFCAdmins
group. Yet, through PAM, Jeff will be able to access a file named...