Firewall Wizards mailing list archives
RE: Architecture Q - Public access domain integrated pc's
From: "Jeff B" <bolesjb () yahoo com>
Date: Tue, 18 May 2004 20:05:54 -0700
Hi Paul: Those are my feelings also, but the difficulty I struggle with, is that I don't believe we can effectively 'architect' the MS management products into two forest, with any effective degree of isolation. Which is fundamentally the insane issue I'm trying to address. I believe MS has effectively engineered an environment where I either a) must use duplicate instances of management tools to address a trusted and untrusted segment, or b) open up enough wholes (for authentication to separate forests) that it violates all significant security boundaries anyhow. -----Original Message----- From: Paul D. Robertson [mailto:paul () compuwar net] Sent: Tuesday, May 18, 2004 7:20 PM To: Jeff Boles Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Architecture Q - Public access domain integrated pc's On Tue, 18 May 2004, Jeff Boles wrote:
security and controlling system vulnerabilities. We'd like to integrate into an AD architecture which also supports the core enterprise (non-public users) as well. Public users would be identity-less guest accounts with automatic logon, with passwordless terminal services accounts setup on a per device basis, and desktop access controlled via the third party logon product. The need for Active Directory integration is to manage these terminal server, as well as some non-terminal public systems (updates and patches) with the same management infrastructure in place on the enterprise network (SUS, SMS, etc.).
Someone else will have to answer the specifics- but in general terms, using the same authentication method for untrusted systems as trusted systems tends to be a bad trust boundary crossover. With AD, it seems to me that there have been significant "once you're in, you're in and once you escalate you're in _everywhere_" type issues. Surely it's not that much more administrative work to have a separate forest for the public stuff and add duplicate accounts for those things that need them? Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Architecture Q - Public access domain integrated pc's Jeff Boles (May 18)
- Re: Architecture Q - Public access domain integrated pc's Paul D. Robertson (May 18)
- RE: Architecture Q - Public access domain integrated pc's Jeff B (May 19)
- Re: Architecture Q - Public access domain integrated pc's Paul D. Robertson (May 18)