Re: [fw-wiz] Architecture Q - Public access domain integrated pc's

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 05/19/04

  • Next message: Gwendolynn ferch Elydyr: "[fw-wiz] Speaking of the non-technical and security"
    To: Jeff Boles <bolesjb@yahoo.com>
    Date: Tue, 18 May 2004 22:20:03 -0400 (EDT)
    
    

    On Tue, 18 May 2004, Jeff Boles wrote:

    > security and controlling system vulnerabilities. We'd
    > like to integrate into an AD architecture which also
    > supports the core enterprise (non-public users) as
    > well. Public users would be identity-less guest
    > accounts with automatic logon, with passwordless
    > terminal services accounts setup on a per device
    > basis, and desktop access controlled via the third
    > party logon product. The need for Active Directory
    > integration is to manage these terminal server, as
    > well as some non-terminal public systems (updates and
    > patches) with the same management infrastructure in
    > place on the enterprise network (SUS, SMS, etc.).

    Someone else will have to answer the specifics- but in general terms,
    using the same authentication method for untrusted systems as trusted
    systems tends to be a bad trust boundary crossover. With AD, it seems to
    me that there have been significant "once you're in, you're in and once
    you escalate you're in _everywhere_" type issues. Surely it's not that
    much more administrative work to have a separate forest for the public
    stuff and add duplicate accounts for those things that need them?

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Gwendolynn ferch Elydyr: "[fw-wiz] Speaking of the non-technical and security"