RE: [fw-wiz] Architecture Q - Public access domain integrated pc's

• Previous message: Gwendolynn ferch Elydyr: "[fw-wiz] Speaking of the non-technical and security"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Architecture Q - Public access domain integrated pc's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Paul D. Robertson'" <paul@compuwar.net>
Date: Tue, 18 May 2004 20:05:54 -0700

Hi Paul:

Those are my feelings also, but the difficulty I struggle with, is that I
don't believe we can effectively 'architect' the MS management products into
two forest, with any effective degree of isolation. Which is fundamentally
the insane issue I'm trying to address. I believe MS has effectively
engineered an environment where I either a) must use duplicate instances of
management tools to address a trusted and untrusted segment, or b) open up
enough wholes (for authentication to separate forests) that it violates all
significant security boundaries anyhow.

-----Original Message-----
From: Paul D. Robertson [mailto:paul@compuwar.net]
Sent: Tuesday, May 18, 2004 7:20 PM
To: Jeff Boles
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Architecture Q - Public access domain integrated pc's

On Tue, 18 May 2004, Jeff Boles wrote:

> security and controlling system vulnerabilities. We'd like to
> integrate into an AD architecture which also supports the core
> enterprise (non-public users) as well. Public users would be
> identity-less guest accounts with automatic logon, with passwordless
> terminal services accounts setup on a per device basis, and desktop
> access controlled via the third party logon product. The need for
> Active Directory integration is to manage these terminal server, as
> well as some non-terminal public systems (updates and
> patches) with the same management infrastructure in place on the
> enterprise network (SUS, SMS, etc.).

Someone else will have to answer the specifics- but in general terms, using
the same authentication method for untrusted systems as trusted systems
tends to be a bad trust boundary crossover. With AD, it seems to me that
there have been significant "once you're in, you're in and once you escalate
you're in _everywhere_" type issues. Surely it's not that much more
administrative work to have a separate forest for the public stuff and add
duplicate accounts for those things that need them?

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Gwendolynn ferch Elydyr: "[fw-wiz] Speaking of the non-technical and security"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Architecture Q - Public access domain integrated pc's"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]