Re: customer user accounts and internal user accounts on same domain



Most companies do allow vendor accounts,service accounts for remote vendor support, etc. however Customer accounts are a different story. Look at a University/College as a model. Students are usually in an isolated domain with limited access to the employee network.

Who's going to clean up all old customer accounts.

Users will inherit all permissions associated with the domain users group.

Mention to them,the requirement for 42 or 90 ? day password changes a domain wide setting applied to every user consistently and can not be changed unless you are on a 2008 DC.

Talk to them about possible hacking attempts from, privilege escalation, denial of service accounts, if an external user can perform login attempts against your internal domain controller, it would be easy to enumerate all user accounts then systematically lock out or disable all of the user accounts, in effect causing a denial of service. And I can do this sitting on my couch from the house.

A DMZ Domain would be a better idea sounds like you already know that ,if they are concerned with cost, look into virtualizing the domain controllers with Vmware 3i it's free.

Also mention something about requiring a Microsoft cal license for every ad user, legal fees etc, if they don't accept your ideas. BS them if you have to as a fallback. It works in someplace and can be used as a last resort.

Sounds like your boss or upper management there are a bunch of "tools"

Good luck.

Jeff.


----- Original Message ----- From: "Stegman, Bill" <Bill.Stegman@xxxxxxxxx>
To: <focus-ms@xxxxxxxxxxxxxxxxx>
Sent: Monday, January 26, 2009 3:02 PM
Subject: customer user accounts and internal user accounts on same domain


Hi, I'm trying to dissuade management from allowing user accounts to be created on the same domain as our company users for what I feel are obvious reasons, but when pressed for specific issues I'm at a bit of a loss. I cited reasons such as;
A clear demarc between customer accounts and our own accounts
Not giving any unnecessary rights due to inheritance, but rather having to apply the appropriate permissions rather than remove permissions to attain the desired result

They want to extend a service we offer to our internal employees to a partner. I suggested creating an extranet and using accounts from a separate domain rather than our own, but there is additional overhead imposed by such as design.duh.but I'm hoping to throw out an established standard or something to help my argument.

Thank you,

Bill Stegman MCSE 2003, CCNP, CCSP, CCIP, INFOSEC, MCTS:Vista
Network Engineer
Crump Life Insurance Services
4250 Crums Mill Rd
Harrisburg, PA 17112
Phone: 717.657.0789 Ext. 4202
Fax: 717.703.4947


CONFIDENTIALITY NOTICE: This message is intended to be viewed only by the listed recipient(s).
It may contain information that is privileged, confidential and/or exempt from disclosure under
applicable law. Any dissemination, distribution or copying of this message is strictly prohibited
without our prior written permission. If you are not an intended recipient, or if you have
received this communication in error, please notify us immediately by return e-mail and
permanently remove the original message and any copies from your computer and all back-up systems.



Relevant Pages

  • Re: File Sharing (again - sorry, Pd)
    ... InTerminal, type umask. ... Back in the good old days, Mac OS X user accounts ... The reason that the file permissions are "resetting" each time the ... that folder inherit the ACLs from the folder. ...
    (uk.comp.sys.mac)
  • Re: Security Group Keeps getting removed???
    ... ACL on all security principals (users, groups, and machine accounts) present ... Delegated permissions are not available and inheritance is automatically ... AdminSDHolder Object Affects Delegation of Control for Past Administrator ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegating AD Rights (Enable/Disable Accounts)
    ... I will definitely pass it on to my Customer ... user accounts in AD to non-admin staff so that they will be able to ... permissions as Domain User rights will work just fine. ... The UMRA ...
    (microsoft.public.windows.server.scripting)
  • Re: Delegation - Password Reset - Access Denied
    ... If you go to properties of an AD object, select the security tab and click ... on advanced you should be on the permissions tab. ... WARNING - Any implicit permissions defined will be lost and reset back to ... Accounts in the OU and found that the BldgAdmins group was not listed. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Win2k - Account Operator not working properly
    ... The tool is a command line tool from Microsoft to enumerate the permissions on an object. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Helpdesk CAN create new accounts/modify/delete/reset passwords for NEW accounts in OUs beneath the top-level OU. ...
    (microsoft.public.windows.server.active_directory)