Security Basics mailing list archives
RE: [BULK] - RE: Microsoft Active Directory security concerns
From: "Ramsdell, Scott" <sramsdell () stinsonmoheck com>
Date: Wed, 14 Jun 2006 15:56:36 -0500
Dennis, You are certainly right. I was merely commenting on what Dave's NT administrators are likely to say to justify their point of using the existing AD structure. However, Dave does indicate that many of the users of the portal will be existing internal users. These users will, in my experience, complain up the chain of command if they are expected to use different accounts to login to the external portal than they use to login to the internal domain. They will point out that (possibly) both OWA and TS are available externally using internal credentials. So, while we may all agree with Dave's hunches that this isn't the best thing to do, I think he's in for at least a debate on the merits (and now he knows their point of view a bit better). Properly controlled, allowing access through a web portal isn't more of a risk than allowing access through Outlook Web Access or Terminal Services, in my opinion. No, it's not ideal, but the business is likely to take the risk. Best Regards, Scott Ramsdell -----Original Message----- From: Depp, Dennis M. [mailto:deppdm () ornl gov] Sent: Wednesday, June 14, 2006 6:48 AM To: Ramsdell, Scott; DHegenbarth () wrberkley com; security-basics () securityfocus com Subject: [BULK] - RE: Microsoft Active Directory security concerns Scott, I agree, however, these same advantages can be had if you setup a separate AD forest for your DMZ. Dennis -----Original Message----- From: Ramsdell, Scott [mailto:sramsdell () stinsonmoheck com] Sent: Tuesday, June 13, 2006 2:18 PM To: DHegenbarth () wrberkley com; security-basics () securityfocus com Subject: RE: Microsoft Active Directory security concerns Dave, I'm not advocating one way or the other, as I've seen the business owners of web systems go both ways. However, here are some advantages to using AD accounts over local accounts since you asked: - the accounts must conform to your password policies - the accounts can be restricted to login to only the DMZ web server - the accounts can have a login/logoff hours policy applied to them - you can apply GPOs to the accounts for whatever purpose you need - you can set expiration dates for the accounts Best Regards, Scott Ramsdell -----Original Message----- From: DHegenbarth () wrberkley com [mailto:DHegenbarth () wrberkley com] Sent: Tuesday, June 13, 2006 11:06 AM To: security-basics () securityfocus com Subject: Microsoft Active Directory security concerns All, I have spent most of my time in network security and IDS/IPS technology so I'm fairly new to security pertaining to MS Active Directory. We are being asked to evaluate web portal authentication/authorization for users, most of whom are not employees of our company. Our NT group wants to add / maintain users in an "external OU", in an existing domain, under our existing AD forest. I think this is a bad idea but I am not versed enough in AD to argue the point. Are there glaring issues with this strategy? My concern is that if someone were to gain access to AD they might not only effect external applications but internal production as well. Are "external OU's" that secure? Are there more secure authentication schemes? Any thoughts would be greatly appreciated. Dave This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others.
Current thread:
- RE: [BULK] - RE: Microsoft Active Directory security concerns Ramsdell, Scott (Jun 14)
- Employee Monitoring in Terminal Service Environment Damon (Jun 22)
- RE: Employee Monitoring in Terminal Service Environment Roger A. Grimes (Jun 23)
- Re: Employee Monitoring in Terminal Service Environment Nicholas Schmidt (Jun 23)
- Employee Monitoring in Terminal Service Environment Damon (Jun 22)