Re: Win2k and one-way trusts
From: Steven Umbach (n9zrou_at_nscomcast.com)
Date: 01/24/04
- Next message: Steven Umbach: "Re: Cannot Run compmgmt.msc"
- Previous message: Rohit Arora: "Re: Event ID : 643"
- In reply to: LCI: "Win2k and one-way trusts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 Jan 2004 22:38:59 GMT
I have never tried that but a couple thoughts. You can create one way explicit
trusts if the domains are in different forests. Having different domains will
allow different account policies. If you decide to not use a second domain, you
can further harden the domain machines in the dmz by adding the administrators
group to the deny access to this computer from the network for administrators
and log onto it locally to manage it or temporarily change the policy. Passprop
can also be used to enable the administrator account to be locked out from
network logon which should also be renamed. Disable file and print sharing and
other unnecessary services on it and make sure that number of logons to cache is
set to zero in Local Security Policy effective settings. Changing some security
options on it such as changing additional restrictions to anonymous connections
to no access without explicit anonymous connections [if it does not cause
problems with authorized clients], setting digitally sign communications
client/server to always, changing lan manager authentication level to use ntlmv2
only refuse lm and ntlm, and removing the users/everyone group from access the
computer from the network and replacing it with authenticated users [a user
right assignment]. Most of those security options would be applied by
importing the highsecws.inf template with the exception of cached logons.
Depending on the machines in your domain, some of those changes may cause
problems with domain machines, particularly if you have W9X or NT4.0 machines.
Of course enabling auditing and monitoring security log is a good idea. ---
Steve
http://support.microsoft.com/default.aspx?kbid=309689
http://www.jsiinc.com/SUBI/tip4300/rh4315.htm
"LCI" <it@lcitoys.com.DeleteThis> wrote in message
news:ehf4jQc4DHA.2188@TK2MSFTNGP10.phx.gbl...
> I need to the ability to authenticate domain users in my DMZ, and I am
> not overly thrilled with the idea of an internet facing system having
> direct access into the domain if I can avoid it. So I was thinking about
> building a small domain in the DMZ and setting up a one way trust
> between my primary domain and it. (dmz trusts the domain, the domain
> does not trust the dmz). That way I can setup the DMZ domain controller
> in the DMZ but not make in publicly accessable and I don't mind opening
> up ports like 135 if I have to. Does anyone have any experience doing
> anything like this or have a better suggestion? I realize that my
> one-way trust concept is somewhat rooted in NT4 but I haven't yet
> figured out the AD terminology/techniques that I need, os any help there
> would be great as well. TIA.
>
> --Jared
>
- Next message: Steven Umbach: "Re: Cannot Run compmgmt.msc"
- Previous message: Rohit Arora: "Re: Event ID : 643"
- In reply to: LCI: "Win2k and one-way trusts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
