Re: Secondary AD domains for students - good or more work when not needed?

[Nicholas Garigliano <ngarigl8 () NAZ EDU>]

Hi Terry,

One thing to keep in mind is that all users of AD have ability to read
objects in the domain.  So, if you put your students and the general
use/classroom PC's in your "business" domain you are potentially opening up
your business network, including Admin accounts, to a large, untrusted
population.   A common penetration technique is to get access to an AD
account and then elevate that access to Domain Admin. Once you lose a
Domain Admin account it is pretty difficult to recover from it with any
degree of confidence.  From what I have read, Microsoft will recommend
starting all over again (delete the domain and start over), even though
that usually isn't feasible in the real world. AD contains the "keys to the
kingdom" and imho should be treated as such.

It would depend on what access is required by the students.  If the
students do not have a need to log  on directly to the domain, i.e. from a
PC in the domain with a domain account, and only access resources through a
web/app front end that is behind a firewall, then an OU, while not optimal
from a security perspective, is probably fine.  Of course, at that point
you can ask if you really need Active Directory?  There are other LDAP
solutions out there that are more simple and cheaper.  It depends on your
comfort in accepting risk (and budget of course).  If they have to log on
to the domain, then I would put them in a separate domain (not a child
domain) or Forest and then establish a one way trust from the business
domain/forest to the student domain.

There are probably ways to ACL the users in a separate OU from seeing other
objects but the complexity of going that route would be creating more risk
than creating a new domain/forest and doing the trust thing.  You can
prevent them from logging into employee computers.   The problem comes with
managing these sort of things over time.  They tend to get forgotten or
misunderstood and then basically lost.  It also becomes a challenge to
audit.  Separate domains and trust relationships are much cleaner.

If you have the opportunity to move the Students and the Classroom/Lab PC's
to a new domain/forest I would take advantage of it, if it is feasible for
your environment.


Nick Garigliano, CISSP GICH CCNA
Network Security Engineer
Enterprise & Network Solutions
Nazareth College
585 389-2109

On Thu, Apr 20, 2017 at 12:32 AM, Terry Jolley <terry.jolley () pcc edu> wrote:

> Hi All,
>
> I am new to this Educause group and looking for advise or best practices.
> We are a large community college and have just implemented Microsoft Active
> Directory for all faculty, staff "employees" and classroom/general use
> computers.
>
> We now need to figure out how to handle student accounts. Do we add
> students to the existing AD domain, possible using a "student" OU or do we
> create a secondary AD Domain to create a security perimeter from our
> employee domain?  We also would most likely move the classroom/general use
> machines to this secondary domain if we go that route.
>
> We would not want students to be able to login to a "employee" computer
> joined to AD, but they should be able to login to a classroom, lab, general
> use computer using their AD credentials.  We also currently use a defined
> OU structure that separates classroom/general computers at the root level
> from employee computers within the one domain..
>
> Looking for any advise on this topic...We have some use cases where
> "employees" will have to login to the classroom/general computers so AD
> "trust" between the sub domains will be required. Again, reason for
> secondary "student" domain is based on general security preferences, but if
> there is a better way of handling while keeping everyone in one domain it
> would be preferred..
>
> Thank you for your time in this matter.
> Terry Jolley
> Portland Community College