RE: Subdomain security
From: Devin Ganger (DevinG_at_3sharp.com)
Date: 12/16/04
- Previous message: Richard_Gardner_at_rge.com: "Re: Subdomain security"
- Maybe in reply to: Oren Held: "Subdomain security"
- Next in thread: Wim_Remes_at_msp.be: "Re: Subdomain security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Dec 2004 11:22:39 -0800 To: "Oren Held" <oren@held.org.il>, <focus-ms@securityfocus.com>
If you are part of the same forest, you cannot enforce security
boundaries effectively.
The forest is the security boundary in AD, not the domain. The domain is
an administrative and replication boundary.
In order to get all of the intra-forest replciation, trust, and network
traffic correctly working so that your domain is healthy, you have to
open up too many ports and services to the surrounding insecure systems.
They can (and will) then be used as launching points into your secure
network.
Tell your management in no uncertain terms that they can pick one of
two: they secure everything, or they let you deploy a new forest for the
secure domain. They can't have both.
-- Devin L. Ganger Email: deving@3sharp.com 3Sharp LLC Phone: 425.882.1032 x 109 15311 NE 90th Street Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.702.8455 -----Original Message----- From: Oren Held [mailto:oren@held.org.il] Sent: Wednesday, December 15, 2004 3:24 PM To: focus-ms@securityfocus.com Subject: Subdomain security Hello, I have to install a *secure* windows domain inside an insecure network. This means that my domain will be behind a firewall ofcourse. Now, I've got two possibilities for the domain configuration: Option 1: My domain would actually be a subdomain inside the insecure forest. Option 2: Create a totally new forest. So, surely option #2 is more secure, but the management pushes to choosing option #1. so.. few questions about option #1: a. Which ports should be opened by the firewall in order for the subdomain to function well but be the most secure? Any references? b. Does an admin (a member of the Enterprise Admin group) from the root-domain have access to my subdomain? Can I prevent it at all? c. Do you know any networks that implement option #1 with a firewall and think they're quite secure from the other domains, or is it a totally twisted idea? Thanks a lot people, - Oren ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Richard_Gardner_at_rge.com: "Re: Subdomain security"
- Maybe in reply to: Oren Held: "Subdomain security"
- Next in thread: Wim_Remes_at_msp.be: "Re: Subdomain security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
