RE: AD structure for a school environment
Date: 11/13/03

  • Next message: Gary Everekyan: "RE: Exchange SMTP Hole?"
    To: "Focus-Ms@Securityfocus. Com" <>
    Date: Thu, 13 Nov 2003 17:27:15 +0100

    > We are a college with about 100 PCs for students and 100 staff PCs,
    > with couple of staff members in HR, couple in marketting .....
    > I am not sure what would be the best AD design to have taking
    > into consideration that some data (HR data,exams,student's marks)
    > needs to be secured and in no reach from the students.
    > We will be using Windows 2003 and Exchange 2003 and Cisco ACLs.
    > The current setup is pretty bad, the students are located on a
    > different vlan than the staff and there is a one way trust
    > relationship between the students and the staff domains. However,
    > the students servers(PDC and Exchange) have had dual NICs for
    > years between the staff and the students network which is
    > pretty insecure. The reason to have dual NICS was to provide the
    > teachers with access to the students home folders and to be able
    > to share the GAL.
    > I am fairly new to NT/AD so I am not sure what the best design
    > would be. I had in mind isolating the servers on Vlan A, the
    > staff on Vlan B and the students on Vlan C but I am not sure what
    > is a good AD structure for the whole thing making it as secure as
    > possible, removing the dual nics and still be able to access the
    > students home folders and share the GAL.
    > Having a different domain for students or having a different OU
    > within the same domain ....???

    Well, i feel that i'm good with linux+cisco networiking and windows as
    endstation, so, i will do that in that way:

    2 VLANS

    VID1 = Students
    VID2 = Teachers

    Next, use linux or your cisco router for joining these two networks.

    To enable full access from Teachers -> Students use ACL's or, the best idea
    is NAT traffic from Teachers -> Students , the Students will be unable to
    access Teachers VID, because of NAT.
    Obviously, you can forward specific ports and IP's from Teachers VID.

    What do you thing about it ?


    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    and use priority code SF4.

  • Next message: Gary Everekyan: "RE: Exchange SMTP Hole?"