Re: SECURITY Digest - 2 Nov 2009 to 3 Nov 2009 (#2009-251)

["Flynn, Gerald" <flynngn () JMU EDU>]

AD is the integration point and central configuration store for Microsoft 
platforms and applications. Any applications requiring synergy will need 
an integration point and the vendor's native integration point is likely 
to be more reliable and less complex than something layered on top. 
Complexity is the enemy of security in more ways than one. Mistakes are 
more likely but perhaps just as important, if you have to implement 
additional products on top that add to implementation complexity and 
possibly cost, the project is less likely to get done, let alone get done
right, which means core functionality needed to improve security
will be missing - Most notably desktop configuration management and
certificate and key management for EFS/Bitlocker/Authentication/Encryption.

Can those functions be done with other products? Sure. Might they be
incrementally better in some respects, particularly cross-platform
support? Definitely. But what is likely to work better, sooner,
and with less product border disruptions, a vendor's native implementation
or an add-on?

Also, who is likely to offer such support first for new Microsoft
platforms like Windows 7 - Microsoft or a third party? 

Many people already brought up the strong motivator that third party vendors 
often integrate their products with AD and that some even assume its 
presence.

The file/print sharing piece of Novell vs AD is not the point and should
not lead the decision. The management and integration of the infrastructure 
is. I'd argue that the closer you stay to the OS and native tools, the 
better off you'll be. If the installed base is 85% Windows, I think that
points to the direction to lead towards.

Conversely, there is the argument against homogenous environments and
the standardized target they represent. Like vendors integrate and
assume the presence of AD, so may malware writers and criminals. So in
some ways, primarily the number of threats, using a different platform
would have less risk associated with it. That may be negated if not having
that central integration and management point keeps you from managing
the weakest and most attacked point in today's infrastructure...end user 
devices. And some hold the "put all your eggs in one basket and watch
that basket very closely" risk response.