Re: customer user accounts and internal user accounts on same domain



This is what I would do personally... I would create a guest domain
thats like guest.yourdomain.com.... Then I would alias
'username@xxxxxxxxxxxxxx' to username@xxxxxxxxxxxxxxxxxxxxxxx This is
if I am understanding your correctly


On Thu, Jan 29, 2009 at 5:31 AM, Kevin Tunison <ktunison@xxxxxxxxx> wrote:
On Mon, Jan 26, 2009 at 8:02 PM, Stegman, Bill <Bill.Stegman@xxxxxxxxx> wrote:
Hi, I'm trying to dissuade management from allowing user accounts to be created on the same domain as our company users for what I feel are obvious reasons, but when pressed for specific issues I'm at a bit of a loss. I cited reasons such as;
A clear demarc between customer accounts and our own accounts
Not giving any unnecessary rights due to inheritance, but rather having to apply the appropriate permissions rather than remove permissions to attain the desired result

They want to extend a service we offer to our internal employees to a partner. I suggested creating an extranet and using accounts from a separate domain rather than our own, but there is additional overhead imposed by such as design.duh.but I'm hoping to throw out an established standard or something to help my argument.


The partner, if on a 2003 domain also, you can both upgrade your DCs
to 2003 R2 and utilize Federated Services. It exists for this
specific reason (allowing a semi-trusted domain/partner access to
selected resources). The whitepaper from MS is here:
http://www.microsoft.com/windowsserver2003/r2/identity_management/adfswhitepaper.mspx

Specific reasons?

Amount of time to run and verify a security audit in the event of a data breach.

Amount of time to set up individual VPNs for each of their users
(allowing a partner-connection without knowing who is on the other end
leaves no specific liability, they could easily hire hacker Joe and
not realize until the damage is done) on top of creating specific user
accounts. I often hear the argument, we'll just give them their own
logins.. which quickly becomes shared login details in reality because
it's remembering more than one login.

Once ADFS is setup, it's no longer taking the time to create a new
domain account (which potentially costs CALs btw), but to grant
access.

Warm Regards,

Kevin Tunison MCSA, MCTS:SQL 2005
http://www.getbusinessconfident.com




Relevant Pages

  • Re: Repost: Local logon and Network Access settings
    ... think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... is a member of User on a member machine, and, Users are granted ... user accounts that should be allowed to log into the machines in SomeOU. ...
    (microsoft.public.windows.group_policy)
  • Re: Repost: Local logon and Network Access settings
    ... > think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... > is a member of User on a member machine, and, Users are granted ... > user accounts that should be allowed to log into the machines in SomeOU. ...
    (microsoft.public.windows.group_policy)
  • =?ISO-8859-1?Q?Re:_RE:_Prob:_failed_to_verify_krb5_credentials:_Server_not_?= =?ISO-8859
    ... Every user shall login with its already existing AD accounts. ... These are the logins, which I try to enter in the login prompt when I visit http://wiki.test.lan:8080. ... I did a nslookup on the unix system and it showed me the server as ... AD, thats also in the keytab file, is TWikiUser. ...
    (comp.protocols.kerberos)
  • AIX password enumeration possible
    ... BPR personnel can neither confirm or deny this behaviour exists in any OS other than AIX of versions mentioned below. ... In the case that the correct password is provided, the response is as follows: ... believed to be in the response from the login program after authentication ... Give accounts that have been restricted from remote logins strong passwords. ...
    (Bugtraq)
  • Re: Account Lockout Policies
    ... Allowing accounts to remain dormat for 30 days ... If a technical solution is unavoidable due to a lack of management buy-in, ... Extract login details from the security logs. ...
    (microsoft.public.security)