Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Security boundary in a two domain, two-way trust scenario
Prev Next
You are not authorized to post a reply.

AuthorMessages
Thomas VuylstekeUser is Offline

Posts:207

06/10/2010 9:28 PM  
Hey all,

I know of a setup where there is a domain for a firm which hosts the firm's users, application servers and their ISA server.
So after publishing apps by ISA, the internal users can access the apps.

Now add a two-way trust with a separate forest (single domain) which holds user accounts of "partner-firms". By using ISA + Kerberos Constrained Delegation (KCD) they allow those users on their apps.

Now I'm wondering. Is there any security benefit of having those users in a separate AD? Why not house them in the internal AD. In my opinion (I might be wrong), because of the trust, they appear as authenticated users and can do almost as much as a "native" user in the domain. Or am I seeing things wrong here?

Perhaps one benefit could be the "selective authentication" which could be potentially enabled on the trust to limit access to only the App servers. But the stuff from the directory could still be read I think (like usernames & properties).

I suppose the "allow logon to" (User-Workstations attribute: http://msdn.microsoft.com/en-us/library/ms680868(VS.85).aspx) only force users from logging on locally on other than the specified machines. But I guess network logons are still possible. Right?

Any thoughts are appreciated.

Kind regards,
Thomas Vuylsteke
http://setspn.blogpost.com

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Security boundary in a two domain, two-way trust scenario



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:36
MembersMembers:0
TotalTotal:36
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use