RE: AD structure for a school environment
Date: 11/13/03

  • Next message: Gary Everekyan: "RE: Exchange SMTP Hole?"
    To: "Focus-Ms@Securityfocus. Com" <>
    Date: Thu, 13 Nov 2003 17:27:15 +0100

    > We are a college with about 100 PCs for students and 100 staff PCs,
    > with couple of staff members in HR, couple in marketting .....
    > I am not sure what would be the best AD design to have taking
    > into consideration that some data (HR data,exams,student's marks)
    > needs to be secured and in no reach from the students.
    > We will be using Windows 2003 and Exchange 2003 and Cisco ACLs.
    > The current setup is pretty bad, the students are located on a
    > different vlan than the staff and there is a one way trust
    > relationship between the students and the staff domains. However,
    > the students servers(PDC and Exchange) have had dual NICs for
    > years between the staff and the students network which is
    > pretty insecure. The reason to have dual NICS was to provide the
    > teachers with access to the students home folders and to be able
    > to share the GAL.
    > I am fairly new to NT/AD so I am not sure what the best design
    > would be. I had in mind isolating the servers on Vlan A, the
    > staff on Vlan B and the students on Vlan C but I am not sure what
    > is a good AD structure for the whole thing making it as secure as
    > possible, removing the dual nics and still be able to access the
    > students home folders and share the GAL.
    > Having a different domain for students or having a different OU
    > within the same domain ....???

    Well, i feel that i'm good with linux+cisco networiking and windows as
    endstation, so, i will do that in that way:

    2 VLANS

    VID1 = Students
    VID2 = Teachers

    Next, use linux or your cisco router for joining these two networks.

    To enable full access from Teachers -> Students use ACL's or, the best idea
    is NAT traffic from Teachers -> Students , the Students will be unable to
    access Teachers VID, because of NAT.
    Obviously, you can forward specific ports and IP's from Teachers VID.

    What do you thing about it ?


    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    and use priority code SF4.

  • Next message: Gary Everekyan: "RE: Exchange SMTP Hole?"

    Relevant Pages

    • Re: Multiple GAL
      ... Each school will have there own IS. ... Teachers and Staff will ... Staff will have there own BE server and there will be ... Teachers to see each other and the students, but it would be nice to if ...
    • Re: Mad bad magic at EMU
      ... Victim's parents and students question Eastern Michigan University's ... By P.J. Huffstutter, Times Staff Writer ... the school said. ...
    • One of the story of Communist Army leader Ne Win
      ... On March 2 1962, the Chief of Staff of the Armed Forces of Burma, ... Maung, a Sino-Burmese, as the Chief of Staff formed the Revolutionary ... Council with his Vice Chief of Staff for Army Brigadier Aung Gyi, ... one of the points was that all students must be in their respective ...
    • Re: Maybe eye-surgery soon
      ... greater difficulty in maintaining striking or impact-weapon range, ... of & no way to pass on my staff experience & insights. ... assuming that there would be more time & future students someday. ... it wouldn't be the loss of doing martial arts per se but only ...
    • Re: Using Shift-Startup
      ... While still in the same command prompt, ... It will be placed on a shared drive, where students have read-only access ... and staff have read and write access. ... Is there a way to stop students by-passing the initial startup, ...