Poll: How is your AD structured?

+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24
Windows Server 2008 R2 Thread, How do you structure your AD? in Technical; Originally Posted by seawolf What security flaws do you believe there would be? Do you have two separate totally isolated ...
  1. #16

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by seawolf View Post
    What security flaws do you believe there would be? Do you have two separate totally isolated networks as well that staff and students use? If not, then whatever additional security you think you have with using two domains does not really exist. If anything, it would create a false sense of security I fear and lead to security lapses in other areas on the network.
    Well right now, if a student domain admin account was compromised, no changes could be make to the staff domain. If we had a single domain and a domain admin was compromised then they have access to EVERYTHING.

    The networks aren't completely isolated, just different VLANs.


    Edit: Just to clarify, this is a set up the current team has inherited. We're giving everything a big review, and thought we'd put the question out to compare organisations. We expected single forest with multiple domains to be the most popular answer so we've been pleasantly surprised.
    Last edited by aceonbass; 20th August 2013 at 09:03 AM.

  2. #17

    Ephelyon's Avatar
    Join Date
    Aug 2008
    Location
    Cheshire, England
    Posts
    1,697
    Thank Post
    297
    Thanked 326 Times in 199 Posts
    Rep Power
    143
    If a student domain admin were compromised, they may be able to do things like reverse trusts with the staff domain, which is a change.

  3. #18

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 285 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by aceonbass View Post
    Well right now, if a student domain admin account was compromised, no changes could be make to the staff domain. If we had a single domain and a domain admin was compromised then they have access to EVERYTHING.
    You're enduring a lot of administrative pain and overhead to gain what is not a substantial security advantage. If your organisation is like most places admin usernames and passwords likely follow a pattern (usernames more than passwords). So, if someone has gotten an admin login for one domain they can probably use the same techniques for getting the others. Once you know the username you're halfway there. Passwords can be broken without a great deal of trouble with the right software, time, and access. Compromises are more frequently from social engineering or carelessness though, and if an organisation loses one login that way, the others are likely to fall in the same way shortly afterward.

    If you have extremely robust and obscure usernames and passwords, change passwords frequently, and limit access to them to a very small number of people, the logins for both domains are not known by any single person, personnel are highly trained in security procedures and follow them, etc. - then it would heighten your security posture. That's not the case for most organisations though. A more simple, easily managed environment with time spent on security training and ensuring that reasonable and not overly complex security procedures are followed is the way to go for most organisations. I would definitely recommend a single domain for most environments.

    NOTE: I worked for the NSA for eight years (in the 90s) in the business of obtaining and analysing information that the other side was trying to keep secret and secure. Good security is hard and the human element is the weakest link. Having overly complex systems exacerbates any security weaknesses, we took advantage of this all the time.

  4. #19
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    479
    Thank Post
    44
    Thanked 73 Times in 68 Posts
    Rep Power
    20
    We have separate domains, no trust between them.

    See, for a student to compromise a admin account they would need access to a PC on the Admin domain. Which are all in offices that are locked. If we had everything on one domain, PC in lab could be used with a compromised account. And there is more, we didn't set it up that way, but this is a result. And yes, we could GPO prevent admin OU from logging into certain PCs if we wanted.

  5. #20

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks all for your responses. It's looking more and more like a huge summer project next year.

    Personally, the temptation to start again with minimal migration is overwhelming - in reality, however....

  6. #21

    Join Date
    Dec 2009
    Posts
    270
    Thank Post
    6
    Thanked 33 Times in 31 Posts
    Rep Power
    15
    Seems I'm the only one that put multi forest multi domain. Granted I don't work for a school, so my requirements are probably a lot different.

    We have a full trust between our forests, which works great, I think you're issues with LDAP can be over come with a few permission changes. As well as having the trust in place, we allow our DC's the credentials to authenticate with each other..e.g under the security menu for a DC, add the dc from the other forest and select the option "allow to authenticate"

    The forests are split with firewalls, and the relevant holes punched through to allow the DC's to communicate. With this in place we find that our LDAP works perfectly

  7. #22
    nicholab's Avatar
    Join Date
    Nov 2006
    Location
    Birmingham
    Posts
    1,503
    Thank Post
    4
    Thanked 97 Times in 93 Posts
    Blog Entries
    1
    Rep Power
    51
    The problem is information demarcation what happens when admin staff need to access the same information as teaching staff or vice versa?

  8. #23

    Join Date
    Dec 2009
    Posts
    270
    Thank Post
    6
    Thanked 33 Times in 31 Posts
    Rep Power
    15
    Hving multiple domains, and even multiple forests, shouldn't prevent the sharing of data. This is what the trusts should help resolve.

    Granted in a school setup, a single domain approach might be preferred.

  9. #24

    Join Date
    Aug 2013
    Posts
    30
    Thank Post
    5
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Extremely delayed reply, but thanks again for all the responses. As per a previous post, I've been very surprised by the amount of votes for single domain (expecting multi domains in a single forest). It's now clear which way I'd like to take the network forward, but as I'm neither the overall manager or network admin this decision does not rest with me...

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. How do you create your AD users?
    By HodgeHi in forum Coding
    Replies: 15
    Last Post: 30th July 2012, 11:16 PM
  2. [SIMS] How do you export SIMS users into AD?
    By mcnallyfc in forum MIS Systems
    Replies: 16
    Last Post: 5th November 2010, 04:59 PM
  3. Replies: 2
    Last Post: 18th May 2010, 02:46 PM
  4. How do you filter AD users and computers...
    By kennysarmy in forum Windows
    Replies: 3
    Last Post: 29th September 2008, 12:51 PM
  5. Replies: 1
    Last Post: 14th August 2008, 06:33 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •