RE: customer user accounts and internal user accounts on same domain

Assuming you're using an MS AD, I believe there's a configuration option
called Federated Services which is designed for a scenario such as yours
and might solve your problem. I'm no AD expert, but from a hi level it
allows you to create an extended AD 'island' from which you and your
customers can share resources without granting access to or creating
objects within each other's internal domains. Of course this assumes
you're both running AD and there's probably some cost involved, but your
management needs to understand that there are many security & privacy
issues associated with granting outside entities access to your internal
directory.




"Davies, Alan (GE
Money)"
<AlanJ.Davies@ge. To
com> "Stegman, Bill"
Sent by: <Bill.Stegman@xxxxxxxxx>,
listbounce@securi <focus-ms@xxxxxxxxxxxxxxxxx>
tyfocus.com cc

Subject
01/28/2009 01:12 RE: customer user accounts and
PM internal user accounts on same
domain










Among many other reasons, having them in the same domain context as you
means they are part of your "Domain Users" which gives them full read
access
to all of your AD and access to any "public" areas on file servers, etc..
you
may have.

It depends how much management care, but I wouldn't want an external
company
knowing exactly how our AD was planned out, how our sites were setup, what
our DNS looked like, where our "crown jewels" were, how we assigned
security
permissions, etc. And that's assuming you're actually perfect and don't
make any permissioning mistakes! In case you're not perfect .. access to
confidential/DPA relevant data, etc. would be a definite issue - especially
outside the USA. Could well land you with a regulatory fine if you haven't
shown due diligence and allow protected data to leak out of your company.




alan

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Stegman, Bill
Sent: 26 January 2009 20:03
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: customer user accounts and internal user accounts on same domain

Hi, I'm trying to dissuade management from allowing user accounts to be
created on the same domain as our company users for what I feel are obvious
reasons, but when pressed for specific issues I'm at a bit of a loss. I
cited reasons such as; A clear demarc between customer accounts and our own
accounts Not giving any unnecessary rights due to inheritance, but rather
having to apply the appropriate permissions rather than remove permissions
to attain the desired result

They want to extend a service we offer to our internal employees to a
partner. I suggested creating an extranet and using accounts from a
separate domain rather than our own, but there is additional overhead
imposed by such as design.duh.but I'm hoping to throw out an established
standard or something to help my argument.

Thank you,

Bill Stegman MCSE 2003, CCNP, CCSP, CCIP, INFOSEC, MCTS:Vista Network
Engineer Crump Life Insurance Services 4250 Crums Mill Rd Harrisburg, PA
17112
Phone:  717.657.0789  Ext. 4202
Fax:     ; 717.703.4947


CONFIDENTIALITY NOTICE: This message is intended to be viewed only by the
listed recipient(s).
It may contain information that is privileged, confidential and/or exempt
from disclosure under applicable law. Any dissemination, distribution or
copying of this message is strictly prohibited without our prior written
permission. If you are not an intended recipient, or if you have received
this communication in error, please notify us immediately by return e-mail
and permanently remove the original message and any copies from your
computer and all back-up systems.

Relevant Pages

  • Re: Inheriting Permissions from Parent
    ... When you delegate permissions using the Delegation of Control wizard, these permissions rely on the user object that inherits the permissions from the parent container. ... Members of protected groups do not inherit permissions from the parent container. ... Within one of my OU's I have many user accounts ...
    (microsoft.public.windows.server.active_directory)
  • Re: Inheriting Permissions from Parent
    ... When you delegate permissions using the Delegation of Control wizard, ... Members of protected groups do not inherit permissions ... these permissions are not applied to members ... Within one of my OU's I have many user accounts ...
    (microsoft.public.windows.server.active_directory)
  • RE: customer user accounts and internal user accounts on same domain
    ... Among many other reasons, having them in the same domain context as you ... confidential/DPA relevant data, etc. would be a definite issue - especially ... customer user accounts and internal user accounts on same domain ... having to apply the appropriate permissions rather than remove permissions ...
    (Focus-Microsoft)
  • Re: Getting the twain interface working on an XP user account
    ... That is I fiddled with the permissions, signed onto a non-admin account, and it might work once. ... I don't have those exact options on XP Home so I tried something I got on an MS forum relating to another program - tip supplied by Michael Bednarek http://mbednarek.com/ - seems to be very helpful for those programs that won't work in User accounts. ... When logged in as administrator navigate to relevant directory and from a command prompt execute following command ... you can extend it to ALL files in the folder with the command ...
    (comp.periphs.scanners)
  • Re: out of memory, can not open or save files
    ... memory or disk space" ... I have not tried repairing permissions yet. ... There are two user accounts though I set up the other one for repair ...
    (microsoft.public.mac.office.excel)