On Mon, Jan 26, 2009 at 8:02 PM, Stegman, Bill <[email protected]> wrote: > Hi, I'm trying to dissuade management from allowing user accounts to be > created on the same domain as our company users for what I feel are obvious > reasons, but when pressed for specific issues I'm at a bit of a loss. I > cited reasons such as; > A clear demarc between customer accounts and our own accounts > Not giving any unnecessary rights due to inheritance, but rather having to > apply the appropriate permissions rather than remove permissions to attain > the desired result > > They want to extend a service we offer to our internal employees to a > partner. I suggested creating an extranet and using accounts from a separate > domain rather than our own, but there is additional overhead imposed by such > as design.duh.but I'm hoping to throw out an established standard or > something to help my argument. >
The partner, if on a 2003 domain also, you can both upgrade your DCs to 2003 R2 and utilize Federated Services. It exists for this specific reason (allowing a semi-trusted domain/partner access to selected resources). The whitepaper from MS is here: http://www.microsoft.com/windowsserver2003/r2/identity_management/adfswhitepaper.mspx Specific reasons? Amount of time to run and verify a security audit in the event of a data breach. Amount of time to set up individual VPNs for each of their users (allowing a partner-connection without knowing who is on the other end leaves no specific liability, they could easily hire hacker Joe and not realize until the damage is done) on top of creating specific user accounts. I often hear the argument, we'll just give them their own logins.. which quickly becomes shared login details in reality because it's remembering more than one login. Once ADFS is setup, it's no longer taking the time to create a new domain account (which potentially costs CALs btw), but to grant access. Warm Regards, Kevin Tunison MCSA, MCTS:SQL 2005 http://www.getbusinessconfident.com
