RE: AD structure for a school environment

From: Chris Lynch (lynch00_at_cox.net)
Date: 11/12/03

  • Next message: Charles Cassagnol: "RE: AD structure for a school environment" 
    To: <thenile@ziplip.com>, <focus-ms@securityfocus.com>
Date: Wed, 12 Nov 2003 10:06:42 -0800

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    You could accomplish it all with the same domain. For security sake, I
    would do the following:

    1. Create a different VLAN for your students.
    2. Create one Forest with one tree and domain
    3. Install MetaFrame XP
    4. Create some published applications for the students to access
    (Outlook/OWA, Internet Explorer, etc.)
    5. Create an internal Citrix Web Interface portal (formally known as NFuse)
    6. Give your students access to this portal and nothing else (maybe with
    the exception of Internet access from their own PC's). This way, you can
    control the environment for the students, and it can be locked down for
    security purposes.

    This is fairly common in other schools that I know of across the US and in
    Canada. If you have any specific questions about this, feel free to email
    me off list.

    Chris

    - -----Original Message-----
    From: thenile@ziplip.com [mailto:thenile@ziplip.com]
    Sent: Tuesday, November 11, 2003 8:55 PM
    To: focus-ms@securityfocus.com
    Subject: AD structure for a school environment

    Hi,

    We are a college with about 100 PCs for students and 100 staff PCs, with
    couple of staff members in HR, couple in marketting .....

    I am not sure what would be the best AD design to have taking into
    consideration that some data (HR data,exams,student's marks) needs to be
    secured and in no reach from the students.
    We will be using Windows 2003 and Exchange 2003 and Cisco ACLs.

    The current setup is pretty bad, the students are located on a different
    vlan than the staff and there is a one way trust relationship between the
    students and the staff domains. However, the students servers(PDC and
    Exchange) have had dual NICs for years between the staff and the students
    network which is
    pretty insecure. The reason to have dual NICS was to provide the teachers
    with access to the students home folders and to be able to share the GAL.

    I am fairly new to NT/AD so I am not sure what the best design would be. I
    had in mind isolating the servers on Vlan A, the staff on Vlan B and the
    students on Vlan C but I am not sure what is a good AD structure for the
    whole thing making it as secure as possible, removing the dual nics and
    still be able to access the students home folders and share the GAL.

    Having a different domain for students or having a different OU within the
    same domain ....???

    Any recommendations,links ... would be greatly appreciated.

    Thank you,

    Jad

     

    -
    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    and use priority code SF4.
    -
    ---------------------------------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.3
    Comment: Public PGP Key for Chris Lynch.

    iQA/AwUBP7J2sm9fg+xq5T3MEQIsqgCeO4jtan4riSnlLSneCRpQN/jDoz4AoLfY
    8h8VZA4CWkbSl/It1WeOqV5q
    =lp02
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    and use priority code SF4.
    ---------------------------------------------------------------------------

  • Next message: Charles Cassagnol: "RE: AD structure for a school environment"

    Relevant Pages

    • Re: Hiding the GAL
      ... I then copied existing permissions. ... security section of the new GAL and added the necessary Security ... When loggin in as a member of Staff, ... >> students in it and the other with staff in it. ...
      (microsoft.public.exchange.admin)
    • Re: The Hacker
      ... Legal flap over Defcon talk exposes divide on disclosing security flaws ... Gag order slapped on MIT students reignites debate on what 'responsible ...
      (uk.legal)
    • RE: AD structure for a school environment
      ... > needs to be secured and in no reach from the students. ... > different vlan than the staff and there is a one way trust ... > teachers with access to the students home folders and to be able ... I had in mind isolating the servers on Vlan A, ...
      (Focus-Microsoft)
    • RE: Inculcating an interest in Security
      ... Creating interest depends on not just the subject matter alone; ... you don't necessarily have to publish/present a techinical ... Inculcating an interest in Security ... change in attitude in my fellow students. ...
      (Security-Basics)
    • Security Experts: University Shootings Like VA Tech Massacre Arent Totally Preventable
      ... Security Experts: University Shootings Like Virginia Tech Massacre Aren't ... The unprecedented school massacre at Virginia Tech has underscored one ... education about safety procedures for students, ... Harris said that she has 58 sworn officers - meaning all are trained as ...
      (alt.politics)