Firewall Wizards mailing list archives

RE: Architecture Q - Public access domain integrated pc's

From: "Jeff B" <bolesjb () yahoo com>
Date: Tue, 18 May 2004 20:05:54 -0700

Hi Paul:

Those are my feelings also, but the difficulty I struggle with, is that I
don't believe we can effectively 'architect' the MS management products into
two forest, with any effective degree of isolation.  Which is fundamentally
the insane issue I'm trying to address.  I believe MS has effectively
engineered an environment where I either a) must use duplicate instances of
management tools to address a trusted and untrusted segment, or b) open up
enough wholes (for authentication to separate forests) that it violates all
significant security boundaries anyhow.

-----Original Message-----
From: Paul D. Robertson [mailto:paul () compuwar net] 
Sent: Tuesday, May 18, 2004 7:20 PM
To: Jeff Boles
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Architecture Q - Public access domain integrated pc's

On Tue, 18 May 2004, Jeff Boles wrote:

security and controlling system vulnerabilities.  We'd like to 
integrate into an AD architecture which also supports the core 
enterprise (non-public users) as well.  Public users would be 
identity-less guest accounts with automatic logon, with passwordless 
terminal services accounts setup on a per device basis, and desktop 
access controlled via the third party logon product.  The need for 
Active Directory integration is to manage these terminal server, as 
well as some non-terminal public systems (updates and
patches) with the same management infrastructure in place on the 
enterprise network (SUS, SMS, etc.).


Someone else will have to answer the specifics- but in general terms, using
the same authentication method for untrusted systems as trusted systems
tends to be a bad trust boundary crossover.  With AD, it seems to me that
there have been significant "once you're in, you're in and once you escalate
you're in _everywhere_" type issues.  Surely it's not that much more
administrative work to have a separate forest for the public stuff and add
duplicate accounts for those things that need them?

Paul
----------------------------------------------------------------------------
-
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Architecture Q - Public access domain integrated pc's Jeff Boles (May 18)
- Re: Architecture Q - Public access domain integrated pc's Paul D. Robertson (May 18)
  - RE: Architecture Q - Public access domain integrated pc's Jeff B (May 19)