Click here to get back home

security in AD
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
security in AD ucan 06-22-2005
`--> Re: security in AD Steven L Umbach06-23-2005
Posted by ucan on June 22, 2005, 5:38 am
Please log in for more thread options
 The company that I work for has a Windows 2003 domain and a second
Windows 2000 domain for our HR department. WE have recently merged all
other domains into the 2003 domain and now I am being asked how safe is
it to add the HR\Payroll department to the 2003 domain. Are the risks
any greater than if we havea trust with the domain already?

I see it as HR in it's own OU and the HR app server being in an OU that
only HR access with Group Policy preventing access to all others?

Any ideas or recommendations?



Posted by Roger Abell on June 22, 2005, 6:53 am
Please log in for more thread options
 It really depend on the quality of system config and management practices.
Separate domains does not gain much in terms of isolation for sake of
security, but does some, if they are in one forest. If separate forests, as
you do not state but seem to imply with the trust mention, the gain can be
much more pronounced. However, if the trust is abused and allowed
to let more than the needed minimum articulate between the domains
then the gain can be (partly) lost. In the face of a skilled crack attempt,
if control is obtained of any DC in a forest, then there really is in theory
nothing that can be secured from the crack anywhere in the forest. If on
the other hand, things have to travel over a trust to a different forest, it
much depends on how that trust is defined to be used whether the other
forest is lost or insulated.

--
Roger Abell
Microsoft MVP (Windows Security)

> The company that I work for has a Windows 2003 domain and a second
> Windows 2000 domain for our HR department. WE have recently merged all
> other domains into the 2003 domain and now I am being asked how safe is
> it to add the HR\Payroll department to the 2003 domain. Are the risks
> any greater than if we havea trust with the domain already?
>
> I see it as HR in it's own OU and the HR app server being in an OU that
> only HR access with Group Policy preventing access to all others?
>
> Any ideas or recommendations?
>




Posted by Steven L Umbach on June 23, 2005, 11:04 pm
Please log in for more thread options
As Roger already stated it depends on if you are in separate forests or not.
Just to add that office politics can have a major factor in the decision if
you are in separate forests so be sure to check with all those higher ups
involved before you make a change. If you are in separate forests, the move
to one forest would make the use of ipsec much easier if that is a concern
as kerberos can not be used for external trusts to a Windows 2000 domain
from a Windows 2003 domain. --- Steve


> The company that I work for has a Windows 2003 domain and a second
> Windows 2000 domain for our HR department. WE have recently merged all
> other domains into the 2003 domain and now I am being asked how safe is
> it to add the HR\Payroll department to the 2003 domain. Are the risks
> any greater than if we havea trust with the domain already?
>
> I see it as HR in it's own OU and the HR app server being in an OU that
> only HR access with Group Policy preventing access to all others?
>
> Any ideas or recommendations?
>




Similar ThreadsPosted
Domain Local Security vs Global Security vs Universal Security Groups October 16, 2006, 1:26 pm
Role-based security from Windows Server 2003 Security Guide gives problems November 6, 2006, 8:00 am
Windows Server Baseline Security - IE security warning June 5, 2007, 9:35 am
VPN Security. July 19, 2005, 9:44 am
Security? July 25, 2005, 8:56 am
COM + Security October 13, 2005, 6:02 am
No Security Tab November 28, 2005, 2:33 pm
FTP security September 27, 2006, 1:21 am
Security July 24, 2007, 10:58 am
FTP Security... August 4, 2008, 12:56 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap