RE: Subdomain security
From: Renouf, Phil (Phil.Renouf_at_tdsecurities.com)
Date: 12/17/04
- Previous message: Bruno Jänes: "RE: iisadmpwd/UPN"
- Maybe in reply to: Scott Mulcahy: "Subdomain security"
- Next in thread: Renouf, Phil: "RE: Subdomain security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Dec 2004 13:25:49 -0500 To: <Wim_Remes@msp.be>, "Oren Held" <oren@held.org.il>
The empty root domain does not offer any additional security since the
security boundary for Active Directory is at the Forest level. As
someone else has mentioned here already the Domain boundary is for
Administration and Replication, not security. Starting out with an Empty
root and two subdomains wouldn't be any more secure.
I think that Devin got it right when he said that either you secure the
entire environment, or you create a new forest for this subdomain and
secure the forest as tightly as you can (including putting it behind a
firewall if the data is that sensitive).
Phil
-----Original Message-----
From: Wim_Remes@msp.be [mailto:Wim_Remes@msp.be]
Sent: Thursday, December 16, 2004 5:24 PM
To: Oren Held
Cc: focus-ms@securityfocus.com
Subject: Re: Subdomain security
Hi Oren,
First : you have to seperate network configuration from domain setup. As
far as I know (from what I read) your initial domain setup is insecure
by design. You should've created an empty root domain with an active
sub-domain. That would've enabled you to create a new subdomain to the
root domain and it would be secure from your other subdomain. Creating
a new subdomain now doesn't offer any additional security. On the other
hand you're talking 'network security' when you state that your domain
would be behind a firewall. Whatever you implement in means of 'network
security'
wouldn't add any security to your domain resources, since all ports
needed for normal W2K(3) operations will need to remain open and
enterprise admins would still be able to 'manage' your resources.
The question you need to answer is what you are trying to secure ? If
you are trying to secure resources like an HR Office inside your company
(for example a database server, a file & print server and some
workstations classified as HR Controlled systems) I would choose to
implement IPSec policies for these hosts. If you are trying to provide
a secure working environment for some highly sensitive R&D department
there's only one way to go and that is option #2 with the firewall
(VLAN's or any other way of segmenting your network would work too).
A final remark : management is management, you got to hit them with the
bare numbers and prove to them that your solutions provide them what
they asked for within budget and within time. Afaik, they don't care
whether you employ monkeys to secure your network, as long as they don't
have to pay a penny more than what's needed.
(Oh, to create some extra workload ... you could move the resources from
the root-domain to a new sub-domain and then create another new
sub-domain to the , now empty root domain, which would seperate the two
domains and offer you some higher level of security ...)
Regards,
Wim Remes
MSCE:Security
-----Oren Held <oren@held.org.il> wrote: -----
To: focus-ms@securityfocus.com
From: Oren Held <oren@held.org.il>
Date: 16/12/2004 00h24
Subject: Subdomain security
Hello,
I have to install a *secure* windows domain inside an insecure network.
This means that my domain will be behind a firewall ofcourse.
Now, I've got two possibilities for the domain configuration:
Option 1: My domain would actually be a subdomain inside the insecure
forest.
Option 2: Create a totally new forest.
So, surely option #2 is more secure, but the management pushes to
choosing option #1. so.. few questions about option #1:
a. Which ports should be opened by the firewall in order for the
subdomain to function well but be the most secure? Any references?
b. Does an admin (a member of the Enterprise Admin group) from the
root-domain have access to my subdomain? Can I prevent it at all?
c. Do you know any networks that implement option #1 with a firewall and
think they're quite secure from the other domains, or is it a totally
twisted idea?
Thanks a lot people,
- Oren
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Bruno Jänes: "RE: iisadmpwd/UPN"
- Maybe in reply to: Scott Mulcahy: "Subdomain security"
- Next in thread: Renouf, Phil: "RE: Subdomain security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
