Re: Problems with Security Policy accross trust
From: Nathan (Nathan_at_discussions.microsoft.com)
Date: 09/09/05
- Next message: kersob: "Windows 2003 -Configure Firewall-"
- Previous message: Miha Pihler [MVP]: "Re: Packet sniffing"
- In reply to: Steven L Umbach: "Re: Problems with Security Policy accross trust"
- Next in thread: Steven L Umbach: "Re: Problems with Security Policy accross trust"
- Reply: Steven L Umbach: "Re: Problems with Security Policy accross trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 8 Sep 2005 23:32:07 -0700
Hi Steven thank you for your comments, could I ask for clarification on the
comments I have made to Paul above? the important factor for us is that the
GPO is implemented to lock the desktop down, if it will not pass from trust
to trust is there a work around?
Or are we talking making our domains work in the same forest, and if so is
this hard to do with the forests been up and running?
"Steven L Umbach" wrote:
> I am not sure exactly what you mean by security policy but you can modify
> security policy [user rights] on the trusting domain to restrict access for
> users from the trusted domain. You also must make sure that your share and
> ntfs permissions are what you need to restrict access to the principle of
> least privilege. Keep in mind that permissions and user rights for everyone
> or authenticated users can allow access to users from a trusted domain. So
> instead of a share allowing access to authenticated users make sure that
> only the specific global group is allowed access. You can also modify
> security policy user rights so that instead of authenticated users you
> specify the global groups you want to have the user right such as access
> this computer from the network which may be domain users for the local
> domain only.
>
> For an external trusts you can use ipsec in the trusting domain to protect
> computers from access from the trusted domain by having an ipsec "require"
> policy enabled on computers you do not want accessed. Ipsec by default uses
> kerberos authentication to create a security association before computers
> can communicate. Ipsec however is somewhat complex to configure CORRECTLY
> and domain controllers must be exempt from ipsec negotiation traffic for
> protocols used for authentication process between domain controllers and
> domain members. If you are interested in ipsec see the link below for a
> great white paper on ipsec for domain isolation even if you only read
> appendixes A - D.
>
> http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx
>
> If your domains both contain only Windows 2003 domain controllers you can
> raise your domain and forest functional levels to be Windows 2003 and then
> create a forest trust. The advantage of a forest trust is that you can use
> "selective authentication" with the allow to authenticate permission to
> further restrict access to domain computers in the trusting domain from
> users in the trusted domain. There is no reason that a trusting domain can
> not be secured properly from users in the trusted domain if you implement
> security features in Windows 2003 such as ipsec, ntfs and share permissions,
> selective authentication, and user rights properly on top of normal security
> best practices such as enforcing complex passwords for each domain. You
> might want to read the free guides for Windows 2003 Server Security and
> Threats and Countermeasures from the TechNet Security link below. The
> Microsoft Press Windows Security Resource Kit edition two is also something
> you should purchase and read. --- Steve
>
> http://www.microsoft.com/technet/security/default.mspx --- TechNet Security
> link.
> http://www.bookpool.com/sm/0735621748 --- Windows Security Resource Kit
>
>
> "Nathan" <Nathan @discussions.microsoft.com> wrote in message
> news:B854D8E5-13E2-457D-B8CE-C9F224342D64@microsoft.com...
> > Please can any one help with the following issue.
> >
> > We have a link from our city learning centre to the local high school, we
> > intend a one way incoming trust to allow users from the school to log onto
> > our network with there school account.
> >
> > After sucessfully creating a trust a users can log on and they have access
> > to their network area mapped, but there are no security setings. It is as
> > if
> > the security policy is denied access to the workstation to lock the
> > security
> > down. IE the kid can access network neighbourhood, run ETC ( A dangerous
> > situation)
> >
> > Both Domain are windows 2003 server sp1, fully patched and in the same
> > functional level, windows 2000 native. We do have firewall but I am by
> > passing this until we can resolve this issue first.
> >
> > I will log a call with Microsoft if nes, but they want £759 as we can only
> > order by PO been publically owned.PLEASE HELP
> >
> > What do I have to do to get the security settings from the schools AD
> > controller to implement on our workstations accross the trust?
>
>
>
- Next message: kersob: "Windows 2003 -Configure Firewall-"
- Previous message: Miha Pihler [MVP]: "Re: Packet sniffing"
- In reply to: Steven L Umbach: "Re: Problems with Security Policy accross trust"
- Next in thread: Steven L Umbach: "Re: Problems with Security Policy accross trust"
- Reply: Steven L Umbach: "Re: Problems with Security Policy accross trust"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
