Windows Server 2008 R2 Thread, How do you structure your AD? in Technical; Originally Posted by seawolf
What security flaws do you believe there would be? Do you have two separate totally isolated ...
20th August 2013, 09:59 AM #16
- Rep Power
Well right now, if a student domain admin account was compromised, no changes could be make to the staff domain. If we had a single domain and a domain admin was compromised then they have access to EVERYTHING.
Originally Posted by seawolf
The networks aren't completely isolated, just different VLANs.
Edit: Just to clarify, this is a set up the current team has inherited. We're giving everything a big review, and thought we'd put the question out to compare organisations. We expected single forest with multiple domains to be the most popular answer so we've been pleasantly surprised.
Last edited by aceonbass; 20th August 2013 at 10:03 AM.
20th August 2013, 10:04 AM #17
If a student domain admin were compromised, they may be able to do things like reverse trusts with the staff domain, which is a change.
20th August 2013, 10:53 AM #18
You're enduring a lot of administrative pain and overhead to gain what is not a substantial security advantage. If your organisation is like most places admin usernames and passwords likely follow a pattern (usernames more than passwords). So, if someone has gotten an admin login for one domain they can probably use the same techniques for getting the others. Once you know the username you're halfway there. Passwords can be broken without a great deal of trouble with the right software, time, and access. Compromises are more frequently from social engineering or carelessness though, and if an organisation loses one login that way, the others are likely to fall in the same way shortly afterward.
Originally Posted by aceonbass
If you have extremely robust and obscure usernames and passwords, change passwords frequently, and limit access to them to a very small number of people, the logins for both domains are not known by any single person, personnel are highly trained in security procedures and follow them, etc. - then it would heighten your security posture. That's not the case for most organisations though. A more simple, easily managed environment with time spent on security training and ensuring that reasonable and not overly complex security procedures are followed is the way to go for most organisations. I would definitely recommend a single domain for most environments.
NOTE: I worked for the NSA for eight years (in the 90s) in the business of obtaining and analysing information that the other side was trying to keep secret and secure. Good security is hard and the human element is the weakest link. Having overly complex systems exacerbates any security weaknesses, we took advantage of this all the time.
20th August 2013, 01:53 PM #19
We have separate domains, no trust between them.
See, for a student to compromise a admin account they would need access to a PC on the Admin domain. Which are all in offices that are locked. If we had everything on one domain, PC in lab could be used with a compromised account. And there is more, we didn't set it up that way, but this is a result. And yes, we could GPO prevent admin OU from logging into certain PCs if we wanted.
21st August 2013, 03:52 PM #20
- Rep Power
Thanks all for your responses. It's looking more and more like a huge summer project next year.
Personally, the temptation to start again with minimal migration is overwhelming - in reality, however....
22nd August 2013, 02:22 PM #21
Seems I'm the only one that put multi forest multi domain. Granted I don't work for a school, so my requirements are probably a lot different.
We have a full trust between our forests, which works great, I think you're issues with LDAP can be over come with a few permission changes. As well as having the trust in place, we allow our DC's the credentials to authenticate with each other..e.g under the security menu for a DC, add the dc from the other forest and select the option "allow to authenticate"
The forests are split with firewalls, and the relevant holes punched through to allow the DC's to communicate. With this in place we find that our LDAP works perfectly
22nd August 2013, 04:16 PM #22
The problem is information demarcation what happens when admin staff need to access the same information as teaching staff or vice versa?
22nd August 2013, 04:27 PM #23
Hving multiple domains, and even multiple forests, shouldn't prevent the sharing of data. This is what the trusts should help resolve.
Granted in a school setup, a single domain approach might be preferred.
19th November 2013, 04:45 PM #24
- Rep Power
Extremely delayed reply, but thanks again for all the responses. As per a previous post, I've been very surprised by the amount of votes for single domain (expecting multi domains in a single forest). It's now clear which way I'd like to take the network forward, but as I'm neither the overall manager or network admin this decision does not rest with me...
By HodgeHi in forum Coding
Last Post: 31st July 2012, 12:16 AM
By mcnallyfc in forum MIS Systems
Last Post: 5th November 2010, 05:59 PM
By gshaw in forum Windows
Last Post: 18th May 2010, 03:46 PM
By kennysarmy in forum Windows
Last Post: 29th September 2008, 01:51 PM
Last Post: 14th August 2008, 07:33 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread