Educause Security Discussion mailing list archives
Re: Secondary AD domains for students - good or more work when not needed?
From: Nicholas Garigliano <ngarigl8 () NAZ EDU>
Date: Thu, 20 Apr 2017 12:48:30 -0400
Hi Terry, One thing to keep in mind is that all users of AD have ability to read objects in the domain. So, if you put your students and the general use/classroom PC's in your "business" domain you are potentially opening up your business network, including Admin accounts, to a large, untrusted population. A common penetration technique is to get access to an AD account and then elevate that access to Domain Admin. Once you lose a Domain Admin account it is pretty difficult to recover from it with any degree of confidence. From what I have read, Microsoft will recommend starting all over again (delete the domain and start over), even though that usually isn't feasible in the real world. AD contains the "keys to the kingdom" and imho should be treated as such. It would depend on what access is required by the students. If the students do not have a need to log on directly to the domain, i.e. from a PC in the domain with a domain account, and only access resources through a web/app front end that is behind a firewall, then an OU, while not optimal from a security perspective, is probably fine. Of course, at that point you can ask if you really need Active Directory? There are other LDAP solutions out there that are more simple and cheaper. It depends on your comfort in accepting risk (and budget of course). If they have to log on to the domain, then I would put them in a separate domain (not a child domain) or Forest and then establish a one way trust from the business domain/forest to the student domain. There are probably ways to ACL the users in a separate OU from seeing other objects but the complexity of going that route would be creating more risk than creating a new domain/forest and doing the trust thing. You can prevent them from logging into employee computers. The problem comes with managing these sort of things over time. They tend to get forgotten or misunderstood and then basically lost. It also becomes a challenge to audit. Separate domains and trust relationships are much cleaner. If you have the opportunity to move the Students and the Classroom/Lab PC's to a new domain/forest I would take advantage of it, if it is feasible for your environment. Nick Garigliano, CISSP GICH CCNA Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 On Thu, Apr 20, 2017 at 12:32 AM, Terry Jolley <terry.jolley () pcc edu> wrote:
Hi All, I am new to this Educause group and looking for advise or best practices. We are a large community college and have just implemented Microsoft Active Directory for all faculty, staff "employees" and classroom/general use computers. We now need to figure out how to handle student accounts. Do we add students to the existing AD domain, possible using a "student" OU or do we create a secondary AD Domain to create a security perimeter from our employee domain? We also would most likely move the classroom/general use machines to this secondary domain if we go that route. We would not want students to be able to login to a "employee" computer joined to AD, but they should be able to login to a classroom, lab, general use computer using their AD credentials. We also currently use a defined OU structure that separates classroom/general computers at the root level from employee computers within the one domain.. Looking for any advise on this topic...We have some use cases where "employees" will have to login to the classroom/general computers so AD "trust" between the sub domains will be required. Again, reason for secondary "student" domain is based on general security preferences, but if there is a better way of handling while keeping everyone in one domain it would be preferred.. Thank you for your time in this matter. Terry Jolley Portland Community College
Current thread:
- Re: Secondary AD domains for students - good or more work when not needed? Terry Jolley (Apr 19)
- Re: Secondary AD domains for students - good or more work when not needed? Eric Lukens (Apr 20)
- Re: Secondary AD domains for students - good or more work when not needed? Allen Wood (Apr 20)
- Re: Secondary AD domains for students - good or more work when not needed? Nicholas Garigliano (Apr 20)
- Re: Secondary AD domains for students - good or more work when not needed? Eric Lukens (Apr 20)