Re: AD structure for a school environment

From: Markus Rossi (securityfocus_at_familyrossi.com)
Date: 11/13/03

  • Next message: Chris Lynch: "RE: Exchange SMTP Hole?" 
    Date: Thu, 13 Nov 2003 07:43:03 +0200
To: "thenile@ziplip.com" <thenile@ziplip.com>

    Hi,

    I think the question boils down to how to enable AD replication across a
    firewall separating a trusted domain/subnet and an insecure
    domain/subnet with mininal risk. You're right in getting rid of dual
    NICs. You have to assume that servers in the untrusted network are "dirty".

    The starting point would be to set up a one-way AD trust between the
    parent staff domain and child student domain. Then only allow necessary
    traffic on the firewall level. First create rules that block access from
    the student network to the staff network. Second, permit access from
    staff PCs to the student file server. This is easy with a stateful
    firewall. Third, make sure AD replication still works. A crude method is
    to make pinholes for specific ports to permit access from the student
    server to the staff server, but ideally you'd block all connections and
    configure AD such that only the staff server initiates the connection
    between the two. Any suggestions on how to do this?

    MR

    thenile@ziplip.com wrote:

    >Hi,
    >
    >We are a college with about 100 PCs for students and 100 staff PCs,
    >with couple of staff members in HR, couple in marketting .....
    >
    >
    >I am not sure what would be the best AD design to have taking into consideration that some data (HR data,exams,student's marks) needs to be secured and in no reach from the students.
    >We will be using Windows 2003 and Exchange 2003 and Cisco ACLs.
    >
    >The current setup is pretty bad, the students are located on a different vlan than the staff and there is a one way trust relationship between the students and the staff domains. However, the students servers(PDC and Exchange) have had dual NICs for years between the staff and the students network which is
    >pretty insecure. The reason to have dual NICS was to provide the teachers with access to the students home folders and to be able to share the GAL.
    >
    >
    >I am fairly new to NT/AD so I am not sure what the best design would be. I had in mind isolating the servers on Vlan A, the staff on Vlan B and the students on Vlan C but I am not sure what is a good AD structure for the whole thing making it as secure as possible, removing the dual nics and still be able to access the students home folders and share the GAL.
    >
    >Having a different domain for students or having a different OU within the same domain ....???
    >
    >
    >Any recommendations,links ... would be greatly appreciated.
    >
    >Thank you,
    >
    >Jad
    >
    >
    >
    >
    >
    >---------------------------------------------------------------------------
    >Network with over 10,000 of the brightest minds in information security
    >at the largest, most highly-anticipated industry event of the year.
    >Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    >see demos from more than 250 industry vendors. If your job touches
    >security, you need to be here. Learn more or register at
    >http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    >and use priority code SF4.
    >---------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    and use priority code SF4.
    ---------------------------------------------------------------------------

  • Next message: Chris Lynch: "RE: Exchange SMTP Hole?"

    Relevant Pages

    • Re: Best attack strategy for a Red Team?
      ... server, and a linux based DNS server. ... systems the target network has. ... with the student teams explaining the areas they were weak and strong ... the red team is busy attacking these services ...
      (Pen-Test)
    • Best way to move user and computer accounts to new child domain?
      ... Until now the network has been very simple with a single Active ... Directory domain server and a number of client computers running Win ... in the student net and preferably have some kind of access to their accounts ... administrative/teacher net as their main network where they will develop new ...
      (microsoft.public.windows.server.general)
    • Cross forest login failure
      ... Accounts in the ‘student’ domain can still log into the student ... area / on the same switchgear can log into the staff domain just fine. ... runs windows 2003 server. ... I found an error on a workstation where it would not ...
      (microsoft.public.windows.server.networking)
    • Re: Exchange 2003 Design Issues
      ... the internal network, or 3 domains internally. ... domains in a forest make the forest more of a security boundary than a ... When we add users to the staff or student domain we want the exchage server ...
      (microsoft.public.exchange.design)
    • Re: help child doamins
      ... that there are no "child domain CONTROLLERS". ... > your staff domain server. ... > setup a student on the student server and go to the network i see the ...
      (microsoft.public.windows.server.dns)