Focus on Microsoft
customer user accounts and internal user accounts on same domain Jan 26 2009 08:02PM
Stegman, Bill (Bill Stegman crump com) (5 replies)
Re: customer user accounts and internal user accounts on same domain Jan 29 2009 12:31PM
Kevin Tunison (ktunison gmail com) (1 replies)
Re: customer user accounts and internal user accounts on same domain Feb 04 2009 03:17PM
pryorda pryor (pryordasspam gmail com)
This is what I would do personally... I would create a guest domain
thats like guest.yourdomain.com.... Then I would alias
'username (at) yourdomain (dot) com [email concealed]' to username (at) guest.yourdomain.com. (dot) . [email concealed] This is
if I am understanding your correctly

On Thu, Jan 29, 2009 at 5:31 AM, Kevin Tunison <ktunison (at) gmail (dot) com [email concealed]> wrote:
> On Mon, Jan 26, 2009 at 8:02 PM, Stegman, Bill <Bill.Stegman (at) crump (dot) com [email concealed]> wrote:
>> Hi, I'm trying to dissuade management from allowing user accounts to be created on the same domain as our company users for what I feel are obvious reasons, but when pressed for specific issues I'm at a bit of a loss. I cited reasons such as;
>> A clear demarc between customer accounts and our own accounts
>> Not giving any unnecessary rights due to inheritance, but rather having to apply the appropriate permissions rather than remove permissions to attain the desired result
>>
>> They want to extend a service we offer to our internal employees to a partner. I suggested creating an extranet and using accounts from a separate domain rather than our own, but there is additional overhead imposed by such as design.duh.but I'm hoping to throw out an established standard or something to help my argument.
>>
>
> The partner, if on a 2003 domain also, you can both upgrade your DCs
> to 2003 R2 and utilize Federated Services. It exists for this
> specific reason (allowing a semi-trusted domain/partner access to
> selected resources). The whitepaper from MS is here:
> http://www.microsoft.com/windowsserver2003/r2/identity_management/adfswh
itepaper.mspx
>
> Specific reasons?
>
> Amount of time to run and verify a security audit in the event of a data breach.
>
> Amount of time to set up individual VPNs for each of their users
> (allowing a partner-connection without knowing who is on the other end
> leaves no specific liability, they could easily hire hacker Joe and
> not realize until the damage is done) on top of creating specific user
> accounts. I often hear the argument, we'll just give them their own
> logins.. which quickly becomes shared login details in reality because
> it's remembering more than one login.
>
> Once ADFS is setup, it's no longer taking the time to create a new
> domain account (which potentially costs CALs btw), but to grant
> access.
>
> Warm Regards,
>
> Kevin Tunison MCSA, MCTS:SQL 2005
> http://www.getbusinessconfident.com
>

[ reply ]
R: customer user accounts and internal user accounts on same domain Jan 28 2009 07:12PM
Vega - Brunello Ivan (I Brunello vegaspa it)
RE: customer user accounts and internal user accounts on same domain Jan 28 2009 10:56AM
James D. Stallard (james leafgrove com)
RE: customer user accounts and internal user accounts on same domain Jan 28 2009 09:45AM
Davies, Alan (GE Money) (AlanJ Davies ge com) (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus