Subdomain security

From: Oren Held (oren_at_held.org.il)
Date: 12/16/04

  • Next message: dave kleiman: "RE: services running in windows domain (winXP clients)"
    To: focus-ms@securityfocus.com
    Date: Thu, 16 Dec 2004 01:24:00 +0200
    
    

    Hello,

    I have to install a *secure* windows domain inside an insecure network.
    This means that my domain will be behind a firewall ofcourse.

    Now, I've got two possibilities for the domain configuration:
    Option 1: My domain would actually be a subdomain inside the insecure
    forest.
    Option 2: Create a totally new forest.

    So, surely option #2 is more secure, but the management pushes to
    choosing option #1. so.. few questions about option #1:

    a. Which ports should be opened by the firewall in order for the
    subdomain to function well but be the most secure? Any references?

    b. Does an admin (a member of the Enterprise Admin group) from the
    root-domain have access to my subdomain? Can I prevent it at all?

    c. Do you know any networks that implement option #1 with a firewall and
    think they're quite secure from the other domains, or is it a totally
    twisted idea?

    Thanks a lot people,

     - Oren

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: dave kleiman: "RE: services running in windows domain (winXP clients)"