Hi Oren,
First : you have to seperate network configuration from domain setup. As
far as I know (from what I read) your initial domain setup is insecure by
design. You should've created an empty root domain with an active
sub-domain. That would've enabled you to create a new subdomain to the root
domain and it would be secure from your other subdomain. Creating a new
subdomain now doesn't offer any additional security. On the other hand
you're talking 'network security' when you state that your domain would be
behind a firewall. Whatever you implement in means of 'network security'
wouldn't add any security to your domain resources, since all ports needed
for normal W2K(3) operations will need to remain open and enterprise admins
would still be able to 'manage' your resources.
The question you need to answer is what you are trying to secure ? If you
are trying to secure resources like an HR Office inside your company (for
example
a database server, a file & print server and some workstations classified
as HR Controlled systems) I would choose to implement IPSec policies for
these
hosts. If you are trying to provide a secure working environment for some
highly sensitive R&D department there's only one way to go and that is
option #2 with
the firewall (VLAN's or any other way of segmenting your network would work
too).
A final remark : management is management, you got to hit them with the
bare numbers and prove to them that your solutions provide them what they
asked
for within budget and within time. Afaik, they don't care whether you
employ monkeys to secure your network, as long as they don't have to pay
a penny more than what's needed.
(Oh, to create some extra workload ... you could move the resources from
the root-domain to a new sub-domain and then create another new sub-domain
to the
, now empty root domain, which would seperate the two domains and offer you
some higher level of security ...)
Regards,
Wim Remes
MSCE:Security
-----Oren Held <oren@held.org.il> wrote: -----
To: focus-ms@securityfocus.com
From: Oren Held <oren@held.org.il>
Date: 16/12/2004 00h24
Subject: Subdomain security
Hello,
I have to install a *secure* windows domain inside an insecure network.
This means that my domain will be behind a firewall ofcourse.
Now, I've got two possibilities for the domain configuration:
Option 1: My domain would actually be a subdomain inside the insecure
forest.
Option 2: Create a totally new forest.
So, surely option #2 is more secure, but the management pushes to
choosing option #1. so.. few questions about option #1:
a. Which ports should be opened by the firewall in order for the
subdomain to function well but be the most secure? Any references?
b. Does an admin (a member of the Enterprise Admin group) from the
root-domain have access to my subdomain? Can I prevent it at all?
c. Do you know any networks that implement option #1 with a firewall and
think they're quite secure from the other domains, or is it a totally
twisted idea?
Thanks a lot people,
- Oren
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
