Security Basics mailing list archives
RE: AD Child Domains
From: "Sheldon Malm" <smalm () ncircle com>
Date: Thu, 24 Apr 2008 06:34:38 -0700
Raoul: this should be negotiated at the political level before scrambling to find a technical solution. There is nothing particularly "strict" about PCI's password guidelines. It's clear that PCI is enough of a driver in your organization to have sparked this discussion (which is good), however PCI is focused primarily on protecting cardholder data. The PCI DSS as written today is not a draconian Security Standard. My best advice before you complicate your AD environment would be to make sure that standard password enforcement is absolutely out of the question. Given the huge increase in client-side attacks over the last 18 months, it is in your organization's best interest to get these users out of the dark ages. You're not forcing the use of SecureID tokens here - this is standard 21st Century common sense. This sounds like an education and socialization question; not a technical one. My 2 cents. Sheldon Malm Director Security Research & Development nCircle Network Security Check out the VERT daily post http://blog.ncircle.com/vert -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Raoul Armfield Sent: Wednesday, April 23, 2008 2:43 PM To: security-basics () securityfocus com Subject: AD Child Domains We are in the process of making a modification to our AD structure. For PCI compliance we need to segregate a portion of our users to a separate domain. This set of users do not need/want (and are very vocal about it) to follow the stricter password policy that PCI mandates. I understand that when you create a child domain it by default creates a two-way transitive trust between the two domains. Is it possible to limit this trust relationship to a one-way trust relationship? If this is possible it seems to me that it may be preferable to creating a new forest just for a couple of hundred users. Of course it is entirely possible that I am not thinking this through completely and am missing some important factors to consider. Your thoughts would be greatly appreciated. Raoul
Current thread:
- AD Child Domains Raoul Armfield (Apr 23)
- RE: AD Child Domains Sheldon Malm (Apr 24)
- RE: AD Child Domains Rhett Grant (Apr 24)
- Re: AD Child Domains pinowudi (Apr 24)
- RE: AD Child Domains Rob McShinsky (Verizon) (Apr 24)
- Re: AD Child Domains John Bailey (Apr 24)