RE: Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN
From: Nick Owen (nickowen_at_mindspring.com)
Date: 03/04/05
- Previous message: Matt Gibson: "RE: Table enumeration in mysql injection"
- In reply to: Depp, Dennis M.: "RE: Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN"
- Next in thread: Locher Thomas: "RE: AD across both DMZ & LAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Depp, Dennis M." <deppdm@ornl.gov> Date: Fri, 04 Mar 2005 13:27:41 -0500
In this specific case they were looking for a less expensive two factor
solution.
On Fri, 2005-03-04 at 12:41 -0500, Depp, Dennis M. wrote:
> If I am not mistaken, you can setup any account to require smart card
> authentication. So you could require smartcards for admin accounts but
> not normal users. This should not requireany special forest/domain
> comfigurations.
>
> Dennis
>
> -----Original Message-----
> From: Nick Owen [mailto:nickowen@mindspring.com]
> Sent: Thursday, March 03, 2005 7:39 PM
> To: security-basics@securityfocus.com
> Cc: Depp, Dennis M.; 'Leon North'
> Subject: Separating authentication and authorization for admins was: RE:
> AD across both DMZ & LAN
>
> Seeing this post reminded me of a question I was noodling:
>
> Would it be possible to require strong authentication for any
> administrators and/or admin actions (such as running an MMC) on the
> LAN/WAN, but not require two-factor for non-admin logins?
>
> One thought that I had (or google had) was to configure multiple forest
> or domains. One had only users and one had only admins. Then could you
> configure trusts and GPOs in such a way that admin actions were proxied
> through ISA and routed via radius to a strong authentication server (as
> you can do with remote access)? Perhaps convoluted, but you can imagine
> that it would be great to have admin actions locked down with two-factor
> authentication on a large LAN/WAN. It seems to make sense, but I don't
> have near the windows experience to answer it.
>
> TIA,
>
> Nick
>
> > -----Original Message-----
> > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
> > Sent: Tuesday, March 01, 2005 1:03 PM
> > To: Leon North; security-basics@securityfocus.com
> > Subject: RE: AD across both DMZ & LAN
> >
> >
> > Leon,
> >
> > 1. Yes this is possible. You will want to setup two forests
> > and create a one way trust between the two forests. (or
> > between two domains in the
> > forest.)
> > 2. While not ideal, I think it is an acceptable approach.
> > However, your management will have to decide if the risk is
> > worth the cost savings. 3. You should be able to configure
> > loopback processing of GPOs on the Citrix server. This will
> > allow you to define a separate user profile when they log
> > onto the Citrix server.
> >
> > Denny
> >
> >
> > -----Original Message-----
> > From: Leon North [mailto:leon_nc@linuxmail.org]
> > Sent: Tuesday, March 01, 2005 10:20 AM
> > To: security-basics@securityfocus.com
> > Subject: AD across both DMZ & LAN
> >
> > Hi,
> >
> > We currently have an NT4 domain in the DMZ and an unrelated
> > NT4 domain internally. The DMZ domain contains a server
> > running citrix, and is used for internet web browsing/email,
> > so that we only have to allow the citrix connection through
> > the FW to the LAN & no internal users can directly access the
> > internet from their PC's.
> >
> > As part of an upgrade to Active Directory (both domains
> > Win2k3), we would like to get the DMZ to trust the internal
> > domain, so that we only have one set of user accounts to
> > manage. But I am not sure about a couple of things with this setup-
> >
> > 1. Will this work like this, so that we only need 1 user
> > account per user instead of a seperate one externally to
> > internally? (excuse the vagueness of the question)
> >
> > 2. If so, is that (not ideal I know but) an acceptable
> > approach security wise, when the DMZ DC can access the
> > accounts on the internal domain?
> >
> > 3. Can we configure it somehow so that the user gets a
> > different profile when logging in to the DMZ only? I ask that
> > because one potential issue I see is getting a virus
> > infection into user profile while logged into the DMZ, then
> > logging into an internal server.
> >
> > Thanks for any help.
> >
> > Leon
> > --
> > ______________________________________________
> > Check out the latest SMS services @ http://www.linuxmail.org
> > This allows you to send and receive SMS through your mailbox.
> >
> >
> > Powered by Outblaze
> --
> Nick Owen
> CEO
> WiKID Systems, Inc.
> http://www.wikidsystems.com
> At last, Two Factor Authentication, Without the Expense Factor
>
> --
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 3/2/2005
>
>
- Previous message: Matt Gibson: "RE: Table enumeration in mysql injection"
- In reply to: Depp, Dennis M.: "RE: Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN"
- Next in thread: Locher Thomas: "RE: AD across both DMZ & LAN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
