Security Basics mailing list archives

RE: AD Child Domains

From: "Sheldon Malm" <smalm () ncircle com>
Date: Thu, 24 Apr 2008 06:34:38 -0700

Raoul: this should be negotiated at the political level before
scrambling to find a technical solution.  There is nothing particularly
"strict" about PCI's password guidelines.  It's clear that PCI is enough
of a driver in your organization to have sparked this discussion (which
is good), however PCI is focused primarily on protecting cardholder
data.  The PCI DSS as written today is not a draconian Security
Standard.

My best advice before you complicate your AD environment would be to
make sure that standard password enforcement is absolutely out of the
question.  Given the huge increase in client-side attacks over the last
18 months, it is in your organization's best interest to get these users
out of the dark ages.  You're not forcing the use of SecureID tokens
here - this is standard 21st Century common sense.  This sounds like an
education and socialization question; not a technical one.

My 2 cents.


Sheldon Malm
Director
Security Research & Development
nCircle Network Security

Check out the VERT daily post
http://blog.ncircle.com/vert



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Raoul Armfield
Sent: Wednesday, April 23, 2008 2:43 PM
To: security-basics () securityfocus com
Subject: AD Child Domains

We are in the process of making a modification to our AD structure.  For
PCI compliance we need to segregate a portion of our users to a separate
domain.  This set of users do not need/want (and are very vocal about
it) to follow the stricter password policy that PCI mandates.

I understand that when you create a child domain it by default creates a
two-way transitive trust between the two domains.  Is it possible to
limit this trust relationship to a one-way trust relationship?  If this
is possible it seems to me that it may be preferable to creating a new
forest just for a couple of hundred users.

Of course it is entirely possible that I am not thinking this through
completely and am missing some important factors to consider.  Your
thoughts would be greatly appreciated.

Raoul

Current thread:

AD Child Domains Raoul Armfield (Apr 23)
- RE: AD Child Domains Sheldon Malm (Apr 24)
- RE: AD Child Domains Rhett Grant (Apr 24)
- Re: AD Child Domains pinowudi (Apr 24)
- RE: AD Child Domains Rob McShinsky (Verizon) (Apr 24)
  - Re: AD Child Domains John Bailey (Apr 24)