Security Basics mailing list archives
RE: Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN
From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Fri, 04 Mar 2005 12:41:35 -0500
If I am not mistaken, you can setup any account to require smart card authentication. So you could require smartcards for admin accounts but not normal users. This should not requireany special forest/domain comfigurations. Dennis -----Original Message----- From: Nick Owen [mailto:nickowen () mindspring com] Sent: Thursday, March 03, 2005 7:39 PM To: security-basics () securityfocus com Cc: Depp, Dennis M.; 'Leon North' Subject: Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN Seeing this post reminded me of a question I was noodling: Would it be possible to require strong authentication for any administrators and/or admin actions (such as running an MMC) on the LAN/WAN, but not require two-factor for non-admin logins? One thought that I had (or google had) was to configure multiple forest or domains. One had only users and one had only admins. Then could you configure trusts and GPOs in such a way that admin actions were proxied through ISA and routed via radius to a strong authentication server (as you can do with remote access)? Perhaps convoluted, but you can imagine that it would be great to have admin actions locked down with two-factor authentication on a large LAN/WAN. It seems to make sense, but I don't have near the windows experience to answer it. TIA, Nick
-----Original Message----- From: Depp, Dennis M. [mailto:deppdm () ornl gov] Sent: Tuesday, March 01, 2005 1:03 PM To: Leon North; security-basics () securityfocus com Subject: RE: AD across both DMZ & LAN Leon, 1. Yes this is possible. You will want to setup two forests and create a one way trust between the two forests. (or between two domains in the forest.) 2. While not ideal, I think it is an acceptable approach. However, your management will have to decide if the risk is worth the cost savings. 3. You should be able to configure loopback processing of GPOs on the Citrix server. This will allow you to define a separate user profile when they log onto the Citrix server. Denny -----Original Message----- From: Leon North [mailto:leon_nc () linuxmail org] Sent: Tuesday, March 01, 2005 10:20 AM To: security-basics () securityfocus com Subject: AD across both DMZ & LAN Hi, We currently have an NT4 domain in the DMZ and an unrelated NT4 domain internally. The DMZ domain contains a server running citrix, and is used for internet web browsing/email, so that we only have to allow the citrix connection through the FW to the LAN & no internal users can directly access the internet from their PC's. As part of an upgrade to Active Directory (both domains Win2k3), we would like to get the DMZ to trust the internal domain, so that we only have one set of user accounts to manage. But I am not sure about a couple of things with this setup- 1. Will this work like this, so that we only need 1 user account per user instead of a seperate one externally to internally? (excuse the vagueness of the question) 2. If so, is that (not ideal I know but) an acceptable approach security wise, when the DMZ DC can access the accounts on the internal domain? 3. Can we configure it somehow so that the user gets a different profile when logging in to the DMZ only? I ask that because one potential issue I see is getting a virus infection into user profile while logged into the DMZ, then logging into an internal server. Thanks for any help. Leon -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze
-- Nick Owen CEO WiKID Systems, Inc. http://www.wikidsystems.com At last, Two Factor Authentication, Without the Expense Factor -- -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 3/2/2005
Current thread:
- RE: Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN Depp, Dennis M. (Mar 04)