Re: Architecture Q - Public access domain integrated pc's

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 18 May 2004, Jeff Boles wrote:

> security and controlling system vulnerabilities.  We'd
> like to integrate into an AD architecture which also
> supports the core enterprise (non-public users) as
> well.  Public users would be identity-less guest
> accounts with automatic logon, with passwordless
> terminal services accounts setup on a per device
> basis, and desktop access controlled via the third
> party logon product.  The need for Active Directory
> integration is to manage these terminal server, as
> well as some non-terminal public systems (updates and
> patches) with the same management infrastructure in
> place on the enterprise network (SUS, SMS, etc.).

Someone else will have to answer the specifics- but in general terms,
using the same authentication method for untrusted systems as trusted
systems tends to be a bad trust boundary crossover.  With AD, it seems to
me that there have been significant "once you're in, you're in and once
you escalate you're in _everywhere_" type issues.  Surely it's not that
much more administrative work to have a separate forest for the public
stuff and add duplicate accounts for those things that need them?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards