RE: Separating authentication and authorization for admins was: RE: AD across both DMZ & LAN

["Depp, Dennis M." <deppdm () ornl gov>]

If I am not mistaken, you can setup any account to require smart card
authentication.  So you could require smartcards for admin accounts but
not normal users.  This should not requireany special forest/domain
comfigurations.

Dennis 

-----Original Message-----
From: Nick Owen [mailto:nickowen () mindspring com] 
Sent: Thursday, March 03, 2005 7:39 PM
To: security-basics () securityfocus com
Cc: Depp, Dennis M.; 'Leon North'
Subject: Separating authentication and authorization for admins was: RE:
AD across both DMZ & LAN

Seeing this post reminded me of a question I was noodling:

Would it be possible to require strong authentication for any
administrators and/or admin actions (such as running an MMC) on the
LAN/WAN, but not require two-factor for non-admin logins?  

One thought that I had (or google had) was to configure multiple forest
or domains.  One had only users and one had only admins.  Then could you
configure trusts and GPOs in such a way that admin actions were proxied
through ISA and routed via radius to a strong authentication server (as
you can do with remote access)?  Perhaps convoluted, but you can imagine
that it would be great to have admin actions locked down with two-factor
authentication on a large LAN/WAN.  It seems to make sense, but I don't
have near the windows experience to answer it.

TIA,

Nick

> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm () ornl gov] 
> Sent: Tuesday, March 01, 2005 1:03 PM
> To: Leon North; security-basics () securityfocus com
> Subject: RE: AD across both DMZ & LAN
>
>
> Leon,
>
> 1.  Yes this is possible.  You will want to setup two forests 
> and create a one way trust between the two forests.  (or 
> between two domains in the
> forest.)
> 2.  While not ideal, I think it is an acceptable approach.  
> However, your management will have to decide if the risk is 
> worth the cost savings. 3.  You should be able to configure 
> loopback processing of GPOs on the Citrix server.  This will 
> allow you to define a separate user profile when they log 
> onto the Citrix server.
>
> Denny
>  
>
> -----Original Message-----
> From: Leon North [mailto:leon_nc () linuxmail org] 
> Sent: Tuesday, March 01, 2005 10:20 AM
> To: security-basics () securityfocus com
> Subject: AD across both DMZ & LAN
>
> Hi,
>
> We currently have an NT4 domain in the DMZ and an unrelated 
> NT4 domain internally. The DMZ domain contains a server 
> running citrix, and is used for internet web browsing/email, 
> so that we only have to allow the citrix connection through 
> the FW to the LAN & no internal users can directly access the 
> internet from their PC's.
>
> As part of an upgrade to Active Directory (both domains 
> Win2k3), we would like to get the DMZ to trust the internal 
> domain, so that we only have one set of user accounts to 
> manage. But I am not sure about a couple of things with this setup-
>
> 1. Will this work like this, so that we only need 1 user 
> account per user instead of a seperate one externally to 
> internally? (excuse the vagueness of the question)
>
> 2. If so, is that (not ideal I know but) an acceptable 
> approach security wise, when the DMZ DC can access the 
> accounts on the internal domain?
>
> 3. Can we configure it somehow so that the user gets a 
> different profile when logging in to the DMZ only? I ask that 
> because one potential issue I see is getting a virus 
> infection into user profile while logged into the DMZ, then 
> logging into an internal server.
>
> Thanks for any help.
>
> Leon
> -- 
> ______________________________________________
> Check out the latest SMS services @ http://www.linuxmail.org 
> This allows you to send and receive SMS through your mailbox.
>
>
> Powered by Outblaze
--
Nick Owen
CEO
WiKID Systems, Inc.
http://www.wikidsystems.com
At last, Two Factor Authentication, Without the Expense Factor

-- 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 3/2/2005