Separate and Unequal

By John Rizzo  |  Posted 2004-07-13 Print this article Print

For administrators of enterprise networks, Mac clients are a pain. They still need special care that isnt required with Windows clients. This applies to access to Exchange Server and support for Microsoft server clusters. Certainly, this situation isnt all Apples fault, and third-party products go a long way toward filling in the holes. For example, Group Logics ExtremeZ-IP lets Macs access Microsoft clusters using AFP (Apple Filing Protocol).
Still, the fact remains that the separate and unequal status remains a barrier to the wider acceptance of Macs in enterprise.
The biggest barrier is integration with Microsofts Active Directory. Apple offers two choices to integrate Panther with Microsofts Active Directory. You can make changes to the Windows Server schema—a risky proposition that few admins are willing to undertake—or install Mac OS X Server on the network. A third-party option is to install Thursby Softwares AdmitMac tool on the Mac clients. Any way you look at, the Macs require special treatment. But even when Macs join the Active Directory, they can still require special handling due to a lack of compatibility with certain Windows authentication features. Once such feature is SMB signing, which is similar to a digital signature. SMB signing has been around since Windows NT 4.0, but Windows Server 2003 domain controllers now default to having SMB signing turned on. In order to accommodate Macs, admins needs to turn off SMB signing in their policy settings. Or they can add a third-party Mac product such as Thursbys AdmitMac and DAVE, or Sharity 2.9 from Objective Development Software GmbH. Other deficiencies make Macs less secure on Windows networks. Theres currently no support of NTMLv2 authentication unless you add one of the third-party solutions to the Mac. Then there is the problem with cleartext authentication in Windows domains. "Apple doesnt provide an admin setting to prevent transmission of cleartext passwords—something Microsoft has had since Windows NT 4.0," Nelson observed. For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. But this isnt a case of poor security with Mac OS X. For instance, you can eliminate cleartext in file serving if you install an Apple Filing Protocol server, such as ExtremeZ-IP, on a Windows server. "Apples security is great—until you get into cross-platform situations," Nelson added. This explains why Kerberos authentication and SMB home folders are on Apples list of Panther features as well as on the list of new Tiger features. In Panther, they work in all-Mac environments but are problematic in Windows domains. Next Page: Bright spots on the Tiger.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel