Firewall Wizards mailing list archives
Re: Architecture Q - Public access domain integrated pc's
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 18 May 2004 22:20:03 -0400 (EDT)
On Tue, 18 May 2004, Jeff Boles wrote:
security and controlling system vulnerabilities. We'd like to integrate into an AD architecture which also supports the core enterprise (non-public users) as well. Public users would be identity-less guest accounts with automatic logon, with passwordless terminal services accounts setup on a per device basis, and desktop access controlled via the third party logon product. The need for Active Directory integration is to manage these terminal server, as well as some non-terminal public systems (updates and patches) with the same management infrastructure in place on the enterprise network (SUS, SMS, etc.).
Someone else will have to answer the specifics- but in general terms, using the same authentication method for untrusted systems as trusted systems tends to be a bad trust boundary crossover. With AD, it seems to me that there have been significant "once you're in, you're in and once you escalate you're in _everywhere_" type issues. Surely it's not that much more administrative work to have a separate forest for the public stuff and add duplicate accounts for those things that need them? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Architecture Q - Public access domain integrated pc's Jeff Boles (May 18)
- Re: Architecture Q - Public access domain integrated pc's Paul D. Robertson (May 18)
- RE: Architecture Q - Public access domain integrated pc's Jeff B (May 19)
- Re: Architecture Q - Public access domain integrated pc's Paul D. Robertson (May 18)