RE: Microsoft Active Directory security concerns

Dave,

I'm not advocating one way or the other, as I've seen the business
owners of web systems go both ways. However, here are some advantages
to using AD accounts over local accounts since you asked:

- the accounts must conform to your password policies
- the accounts can be restricted to login to only the DMZ web server
- the accounts can have a login/logoff hours policy applied to them
- you can apply GPOs to the accounts for whatever purpose you need
- you can set expiration dates for the accounts


Best Regards,
Scott Ramsdell


-----Original Message-----
From: DHegenbarth@xxxxxxxxxxxxx [mailto:DHegenbarth@xxxxxxxxxxxxx]
Sent: Tuesday, June 13, 2006 11:06 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Microsoft Active Directory security concerns

All,

I have spent most of my time in network security and IDS/IPS technology
so I'm fairly new to security pertaining to MS Active Directory. We are
being asked to evaluate web portal authentication/authorization for
users, most of whom are not employees of our company. Our NT group
wants to add / maintain users in an "external OU", in an existing
domain, under our existing AD forest. I think this is a bad idea but I
am not versed enough in AD to argue the point. Are there glaring issues
with this strategy? My concern is that if someone were to gain access to
AD they might not only effect external applications but internal
production as well.

Are "external OU's" that secure? Are there more secure authentication
schemes?


Any thoughts would be greatly appreciated.



Dave


This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others.

Relevant Pages

  • Re: Integrated security - why not?
    ... Let me explain why we seldom use Integrated Security for Internet asp.net ... how could we setup accounts for them? ... !server to the public network with services such as SQL Server (remember SQL ... The DC at the ISP is not for our own use. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: absolutepoker news
    ... The chances of uncovering any further cheating at any other site are probably slim to none. ... However, knowing poker players as I do, my guess is most Absolute customers will stay right where they are. ... The statement acknowledges the security breach within Absolute's system that allowed information about opponents' hole cards to be transmitted to several suspect accounts, and confirmed that the hand log released accidentally to Marco 'CrazyMarco' Johnson, the runner-up in the suspect tournament, did in fact highlight the security flaw that allowed the site to be compromised. ...
    (rec.gambling.poker)
  • Re: absolutepoker news
    ... The chances of uncovering any further cheating at any other site are probably slim to none. ... However, knowing poker players as I do, my guess is most Absolute customers will stay right where they are. ... The statement acknowledges the security breach within Absolute's system that allowed information about opponents' hole cards to be transmitted to several suspect accounts, and confirmed that the hand log released accidentally to Marco 'CrazyMarco' Johnson, the runner-up in the suspect tournament, did in fact highlight the security flaw that allowed the site to be compromised. ...
    (rec.gambling.poker)
  • Choosing secure passwords - Feedback solicited
    ... Choosing secure passwords is the most important thing you can do to ... secure your accounts and avoid the headaches of a security breach. ... that will help you remember the PIN. ...
    (comp.security.misc)
  • Re: NEED HELP HERE! Check XP Access Problems Below!
    ... >>Roger Abell ... >>Microsoft MVP (Windows Server System: Security) ... >>>>When attempt to create new accounts, ...
    (microsoft.public.windowsxp.security_admin)
Quantcast