Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Subdomain security

from [Devin Ganger] Network Security [Permanent Link]
Subject: RE: Subdomain security
Date: Thu, 16 Dec 2004 11:22:39 -0800 
If you are part of the same forest, you cannot enforce security
boundaries effectively.

The forest is the security boundary in AD, not the domain. The domain is
an administrative and replication boundary.

In order to get all of the intra-forest replciation, trust, and network
traffic correctly working so that your domain is healthy, you have to
open up too many ports and services to the surrounding insecure systems.
They can (and will) then be used as launching points into your secure
network.

Tell your management in no uncertain terms that they can pick one of
two: they secure everything, or they let you deploy a new forest for the
secure domain. They can't have both.

-- 
Devin L. Ganger             Email: deving@3sharp.com
3Sharp LLC                  Phone: 425.882.1032 x 109
15311 NE 90th Street        Cell: 425.239.2575
Redmond, WA  98052          Fax: 425.702.8455

-----Original Message-----
From: Oren Held [mailto:oren@held.org.il] 
Sent: Wednesday, December 15, 2004 3:24 PM
To: focus-ms@securityfocus.com
Subject: Subdomain security

Hello,

I have to install a *secure* windows domain inside an insecure network.
This means that my domain will be behind a firewall ofcourse.

Now, I've got two possibilities for the domain configuration:
Option 1: My domain would actually be a subdomain inside the insecure
forest.
Option 2: Create a totally new forest.

So, surely option #2 is more secure, but the management pushes to
choosing option #1. so.. few questions about option #1:

a. Which ports should be opened by the firewall in order for the
subdomain to function well but be the most secure? Any references?

b. Does an admin (a member of the Enterprise Admin group) from the
root-domain have access to my subdomain? Can I prevent it at all?

c. Do you know any networks that implement option #1 with a firewall and
think they're quite secure from the other domains, or is it a totally
twisted idea?

Thanks a lot people,

 - Oren


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Subdomain security, Richard_Gardner
Next by Date:  RE: services running in windows domain (winXP clients), Zack Schiel
Previous by Thread:  Re: Subdomain security, Richard_Gardner
Next by Thread:  Re: Subdomain security, Wim_Remes
Indexes:  [Date] [Thread] [Top] [All Lists]