Focus on Microsoft
customer user accounts and internal user accounts on same domain Jan 26 2009 08:02PM
Stegman, Bill (Bill Stegman crump com) (5 replies)
Re: customer user accounts and internal user accounts on same domain Jan 29 2009 12:31PM
Kevin Tunison (ktunison gmail com) (1 replies)
Re: customer user accounts and internal user accounts on same domain Feb 04 2009 03:17PM
pryorda pryor (pryordasspam gmail com)
R: customer user accounts and internal user accounts on same domain Jan 28 2009 07:12PM
Vega - Brunello Ivan (I Brunello vegaspa it)
RE: customer user accounts and internal user accounts on same domain Jan 28 2009 10:56AM
James D. Stallard (james leafgrove com)
RE: customer user accounts and internal user accounts on same domain Jan 28 2009 09:45AM
Davies, Alan (GE Money) (AlanJ Davies ge com) (1 replies)
Among many other reasons, having them in the same domain context as you
means they are part of your "Domain Users" which gives them full read access
to all of your AD and access to any "public" areas on file servers, etc. you
may have.

It depends how much management care, but I wouldn't want an external company
knowing exactly how our AD was planned out, how our sites were setup, what
our DNS looked like, where our "crown jewels" were, how we assigned security
permissions, etc. And that's assuming you're actually perfect and don't
make any permissioning mistakes! In case you're not perfect .. access to
confidential/DPA relevant data, etc. would be a definite issue - especially
outside the USA. Could well land you with a regulatory fine if you haven't
shown due diligence and allow protected data to leak out of your company.

alan

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Stegman, Bill
Sent: 26 January 2009 20:03
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: customer user accounts and internal user accounts on same domain

Hi, I'm trying to dissuade management from allowing user accounts to be
created on the same domain as our company users for what I feel are obvious
reasons, but when pressed for specific issues I'm at a bit of a loss. I
cited reasons such as; A clear demarc between customer accounts and our own
accounts Not giving any unnecessary rights due to inheritance, but rather
having to apply the appropriate permissions rather than remove permissions
to attain the desired result

They want to extend a service we offer to our internal employees to a
partner. I suggested creating an extranet and using accounts from a
separate domain rather than our own, but there is additional overhead
imposed by such as design.duh.but I'm hoping to throw out an established
standard or something to help my argument.

Thank you,

Bill Stegman MCSE 2003, CCNP, CCSP, CCIP, INFOSEC, MCTS:Vista Network
Engineer Crump Life Insurance Services 4250 Crums Mill Rd Harrisburg, PA 
17112
Phone:  717.657.0789  Ext. 4202
Fax:      717.703.4947

CONFIDENTIALITY NOTICE: This message is intended to be viewed only by the
listed recipient(s).
It may contain information that is privileged, confidential and/or exempt
from disclosure under applicable law. Any dissemination, distribution or
copying of this message is strictly prohibited without our prior written
permission. If you are not an intended recipient, or if you have received
this communication in error, please notify us immediately by return e-mail
and permanently remove the original message and any copies from your
computer and all back-up systems.
0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ? §0?\0?Å ê0
 *?H?÷
0¼1 0 UDE10UHamburg10UHamburg1:08U
1TC TrustCenter for Security in Data Networks GmbH1"0 U TC TrustCenter Class 2 CA1)0' *?H?÷
 certificate (at) trustcenter (dot) de0 [email concealed]
980309115959Z
110101115959Z0¼1 0 UDE10UHamburg10UHamburg1:08U
1TC TrustCenter for Security in Data Networks GmbH1"0 U TC TrustCenter Class 2 CA1)0' *?H?÷
 certificate (at) trustcenter (dot) de0 [email concealed]?0
 *?H?÷
0?Ú8èí2)q?
¿?ÜÚÆ­9¤©?/Õ?\h_PÆbõf½Ê?"ìªQ×=³Q²?N]ËI°ðLUåk-Ç? 0?N?ÔÊí÷o¾Üàã¸Sò?ô
V?Z???Ñ´?V®M»¨KW¼þøX?ø)°{ÍxÉO¬?g ñ?ûüW?W\O
£k0i0Uÿ0ÿ0Uÿ?03 `?H?øB&$http://www.trustcenter.de/guidelines0 `?H?øB0
 *?H?÷
?Rû(ßÿu¼¾V?jtB$1?ùF±??Ï?,3¿?µ_zr¡?Î?ø?èù%ÊÚ??¬ë6m??46ôBð
øy.
H\«ÌQOxv Ù¬½*Ñi(?Ê6'?W[Ò\õÂ[«dctQô?¿Í(÷Mf§ð&x²fGpQd0?ú0?c 
?oaÏ$ªym)0
 *?H?÷
0¼1 0 UDE10UHamburg10UHamburg1:08U
1TC TrustCenter for Security in Data Networks GmbH1"0 U TC TrustCenter Class 2 CA1)0' *?H?÷
 certificate (at) trustcenter (dot) de0 [email concealed]
070515144445Z
101231225959Z0V1 0 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CA0?0
 *?H?÷
0?Í,]#?Ügõø5ºLMèu^Þ²ñù6Ç?ª³wvÑý²Âï1?UïB?í_3c3Ü¥×>£xk?r
ø¿ø]HëÖßqy¿¬_¬8Z%?á 6

iÞ?Àcë-?ãòÈÐȶ×ÕÿhMdÊ,»5}*Ø\)»UÓÄð®tå£?a0?]0?+00L
+0?@http://www.trustcenter.de/certservices/cacerts/tcclass2-2011
.crt0/+0?#http://ocsp.tcclass2.trustcenter.de0Uÿ0ÿ0J
U C0A0? *?,0200+$http://www.trustcenter.de/guidelines0Uÿ
0U ¯%ºô·-ó*ُÍW<ôQÎL?0>U70503 1 /?-http://www.trustcenter.de/crl/v2/t
cclass2.crl0
 *?H?÷
aºñ£k?2¶ÛÉÔÎvÊÕòÄPî>ÁÀ_y"?F?<Bð[¸UÄ,Q_°FK_ºq?èúëüà+0Ï5F?
ùÓO ¤îX?eئ;Áµ?×-.pH!Û?b ??æ?D?ÁÎ?AÂÛ;¾ª©&?)1Ñ~ó?¦&??yÔ?ýj0?E0?® 
ô?hù&7«j{0
 *?H?÷
0V1 0 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CA0
080319112044Z
101219112044Z0?1!0U
General Electric Company10U GE Money10U 12303514810U Alan Davies1"0  *?H?÷
 alanj.davies (at) ge (dot) com0 [email concealed]?0
 *?H?÷
0?ÞWc ô÷án5@?¾³?
ânÞÀè¾uùF¬kÈYÓD£sh?? ÁßcYWhÌ Õ;?á³y@C­´À+Ó$?Î6pv(^?L]#¸NÆ¥üÚ¼¢£mö¾n¯ôÝ~ÄÊ°?ðﺥ?^KÍs?¦SY«¿øAÈ8i½e
$?µéPki£?ä0?à0B+60402+0?&http://ocsp.ge.tcclass2
.trustcenter.de0áU#Ù0Ö¡Â¤¿0¼1 0 UDE10UHamburg10UHamburg1:08U
1TC TrustCenter for Security in Data Networks GmbH1"0 U TC TrustCenter Class 2 CA1)0' *?H?÷
 certificate (at) trustcenter (dot) de [email concealed]??oaÏ$ªym)0Uÿð0U±t
}Ò#àp}4
¯È­? íp0HUA0?0= ; 9?7http://www.trustcenter.de/crl/v2/tc_class2_L1_CA_GE
.crl0U%0++0U0alanj.davies (at) ge (dot) com0 [email concealed]
 *?H?÷
Â?®s¡åT
ÝLvÔh¨9Å!ò°°m­þ¿¾Ã鵁LՍ§?W}ÿr^a1²?wÃ?Ь U?ßù?þpj±#±s©?ÐÞg­V«¨0
±C??¯c _®ÓÃæÅ?¡ã¹¯ã8å!6êÙ?â?Ë{×³&¯×<¡O?ð1?Ï0?Ë0i0V1 0 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CAô?hù&7«j{0 + ?¼0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
090128094549Z0# *?H?÷
 1fý??ïçÉs?@î$kï?0è0g *?H?÷
 1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
*?H?÷
0x +?71k0i0V1 0 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CAô?hù&7«j{0z *?H?÷
  1k i0V1 0 UUS1!0U
General Electric Company1$0"UGeneral Electric Company CAô?hù&7«j{0
 *?H?÷
?FÆ*÷¾ùÿvjª3Uâ?ªb ¬é)h¥æ_?AwS¯¸?Rê¤w,?ê®Èô,BkÞVD7ËZï¡&}é?ÃÖ
­¸ ijË[?çØÛ?çÊh´oÒ 'f?¶?Þ{U÷vH?ÍôME]?É×?ãäm?$ªµñ4õ8???q®¹Øï?

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus