Re: [fw-wiz] Architecture Q - Public access domain integrated pc's
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 05/19/04
- Previous message: Gwendolynn ferch Elydyr: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"
- In reply to: Jeff Boles: "[fw-wiz] Architecture Q - Public access domain integrated pc's"
- Next in thread: Jeff B: "RE: [fw-wiz] Architecture Q - Public access domain integrated pc's"
- Reply: Jeff B: "RE: [fw-wiz] Architecture Q - Public access domain integrated pc's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Jeff Boles <bolesjb@yahoo.com> Date: Tue, 18 May 2004 22:20:03 -0400 (EDT)
On Tue, 18 May 2004, Jeff Boles wrote:
> security and controlling system vulnerabilities. We'd
> like to integrate into an AD architecture which also
> supports the core enterprise (non-public users) as
> well. Public users would be identity-less guest
> accounts with automatic logon, with passwordless
> terminal services accounts setup on a per device
> basis, and desktop access controlled via the third
> party logon product. The need for Active Directory
> integration is to manage these terminal server, as
> well as some non-terminal public systems (updates and
> patches) with the same management infrastructure in
> place on the enterprise network (SUS, SMS, etc.).
Someone else will have to answer the specifics- but in general terms,
using the same authentication method for untrusted systems as trusted
systems tends to be a bad trust boundary crossover. With AD, it seems to
me that there have been significant "once you're in, you're in and once
you escalate you're in _everywhere_" type issues. Surely it's not that
much more administrative work to have a separate forest for the public
stuff and add duplicate accounts for those things that need them?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Gwendolynn ferch Elydyr: "RE: [fw-wiz] Worms, Air Gaps and Responsibility"
- In reply to: Jeff Boles: "[fw-wiz] Architecture Q - Public access domain integrated pc's"
- Next in thread: Jeff B: "RE: [fw-wiz] Architecture Q - Public access domain integrated pc's"
- Reply: Jeff B: "RE: [fw-wiz] Architecture Q - Public access domain integrated pc's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
