Educause Security Discussion mailing list archives
Re: Windows Domain Controllers: Risks involved
From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Fri, 13 Mar 2009 15:09:22 -0500
There's absolutely no benefit to doing this. In AD your security boundary is the forest not the domain, so if you wanted to do this you'd need two separate forests. Then you'd probably need a third forest for Exchange. Management overhead at this point is a nightmare and you've gained nothing in my opinion. The model of having the empty root is a Windows 2000 era thing that was largely from misguided assumptions. At this point there's not much in the way of reasons to be looking at that model anymore. Exchange works fine if you have it in its' own forest although you'll need a toolset in place to manage sync of data between your authentication forest(s) and your Exchange resource forest. Exchange works fine fundamentally in a multidomain forest however it's not nearly as easy to manage and there are some quirks. I have a chapter (10) in my book (www.briandesmond.com/ad4/) about this process which walks you through a decision workflow for designing a domain hierarchy. Thanks, Brian Desmond brian () briandesmond com c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Kaftan Sent: Friday, March 13, 2009 9:05 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows Domain Controllers: Risks involved When creating an Active Directory domain I am curious if you create a single domain for both Students and Fac\Staff or if you create a Tree like structure with a parent domain and the two child domains or something totally different like separate non-linked domains. What are the implications if you decide to implement Exchange down the road? F.M. Taylor wrote:
On Friday 13 March 2009, Marmina Abdel Malek formed electrons in this
pattern:
Dear All, I'm assessing the idea of implementing a campus wide domain controller to include faculty and staff computers, as well as student labs computers. I understand all the advantages of centralized management of all the
campus
computers, but I have some concerns that I would like to know how did you react to them: - Domain admins can access the files of any computer in the domain. How
do
you ensure the confidentiality and privacy of users and data?Most Admins don't have the time or inclination to to go through the users files, as when they first discovered they could do this they also
discovered
that the users are boring. Also there are ethical (and in some cases
legal)
standards that any admin worth getting paid should uphold. On the other hand the users should be made aware that all of the computers
are
in fact the property of the university and that they have no expectation
of
privacy. Truly sensitive data should be encrypted.- In you implementations, do you include the computers of the top management?Yes, but it is optional. Their original machines are supplied that way,
and
most of them leave them in that configuration. They have neither the time
or
inclination (or technical acumen) to admin their own workstations.- Do you give faculty and staff, high level access to install
applications,
or installation requests have be channeled to the domain admins?No, requests for new applications are submitted to the domain admins.- Is there any tips, recommendations, or lessons learned on implementing
a
campus wide domain controller?Our Unix administrators take the machines and immediately wipe them and install a Unix desktop. They are the only group allowed to do this. Attempting to get a Unix admin to use a domain controlled windows
workstation
is like teaching a pig to dance, its a waste of your time and annoys the
pig.
Best Regards, Marmina Abdel-Malek IT Security Officer The American University in Cairo Tel : +202-2615-3561 Fax: +202-2795-6746 Email: marmina () aucegypt edu web: www.aucegypt.eduHope that helps.
Current thread:
- Windows Domain Controllers: Risks involved Marmina Abdel Malek (Mar 13)
- <Possible follow-ups>
- Re: Windows Domain Controllers: Risks involved Tupker, Mike (Mar 13)
- Re: Windows Domain Controllers: Risks involved F.M. Taylor (Mar 13)
- Re: Windows Domain Controllers: Risks involved John Kaftan (Mar 13)
- Re: Windows Domain Controllers: Risks involved Patrick P Murphy (Mar 13)
- Re: Windows Domain Controllers: Risks involved Miller, Don C. (Mar 13)
- Re: Windows Domain Controllers: Risks involved Miller, Don C. (Mar 13)
- Re: Windows Domain Controllers: Risks involved Chris Green (Mar 13)
- Re: Windows Domain Controllers: Risks involved Anand S Malwade (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Jason Testart (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Marmina Abdel Malek (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Ryan S. Johnston (Mar 16)
- Re: Windows Domain Controllers: Risks involved David Gillett (Mar 17)