You might try having a master domain with a series of OU's inside that
domain. Those OU's could be set with their own varying levels of
security but are ultimately governed and can be controlled by the top
level administrative policies. This would allow the top level AD domain
to be in control while your former NT domains would now be represented
by OU's that the former local administrators would be able to set policy
for but not impact the upper level domain. Just a thought.
-Tim
-----Original Message-----
From: RGN [mailto:norman.r (at) btclick (dot) com [email concealed]]
Sent: Tuesday, November 05, 2002 6:01 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Active Directory network security
Hello, all
I am currently involved in a migration project where a number of NT4
domains are to be migrated into an enterprise-wide Active Directory
forest comprising numerous domains. There is no 'IT Department' which
has jurisdiction over all the domains so a huge variation of security
standards is experienced.
To counter the risks posed by the less secure areas, the organisation
I work for has placed firewalls at our interfaces with the other
sections of the enterprise. These firewalls will have to be weakened
or removed completely to facilitate the proposed migration and I am
concerned that this may open the network up to security problems
experienced in the areas with less emphasis on security.
Does anyone have any experience of such a situation? Is it as bad as
I fear, or is Microsoft A/D secure? Are there are documented cases of
this type of migration going wrong due to security being overlooked?
For example, could a compromised workstation in a remote site affect
the workstations or servers in another domain? If so, what can be
done to limit the exposure?
Are there any other things to avoid or to be aware of?
domain. Those OU's could be set with their own varying levels of
security but are ultimately governed and can be controlled by the top
level administrative policies. This would allow the top level AD domain
to be in control while your former NT domains would now be represented
by OU's that the former local administrators would be able to set policy
for but not impact the upper level domain. Just a thought.
-Tim
-----Original Message-----
From: RGN [mailto:norman.r (at) btclick (dot) com [email concealed]]
Sent: Tuesday, November 05, 2002 6:01 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Active Directory network security
Hello, all
I am currently involved in a migration project where a number of NT4
domains are to be migrated into an enterprise-wide Active Directory
forest comprising numerous domains. There is no 'IT Department' which
has jurisdiction over all the domains so a huge variation of security
standards is experienced.
To counter the risks posed by the less secure areas, the organisation
I work for has placed firewalls at our interfaces with the other
sections of the enterprise. These firewalls will have to be weakened
or removed completely to facilitate the proposed migration and I am
concerned that this may open the network up to security problems
experienced in the areas with less emphasis on security.
Does anyone have any experience of such a situation? Is it as bad as
I fear, or is Microsoft A/D secure? Are there are documented cases of
this type of migration going wrong due to security being overlooked?
For example, could a compromised workstation in a remote site affect
the workstations or servers in another domain? If so, what can be
done to limit the exposure?
Are there any other things to avoid or to be aware of?
Any help will be gratefully received.
Thanks
Regards
Richard
[ reply ]