Re: [ActiveDir] Extranet's
I'd think a single domain forest is plenty for an extranet solution. My current employer runs an extranet (so to speak) of over 1 machines in a single domain environment. Roger On Sun, Oct 24, 2004 at 08:57:06PM -0400, [EMAIL PROTECTED] wrote: > We are looking at redesigning our extranet and are considering a > separate forest for the extranet users and eventually most of the > resources needed for the extranet will be put into that forest. My > thinking is that since a domain isn't a true security boundary and it > really won't cost us more to bring up a forest vs. domain why not go > with a separate forest. The users in the extranet forest won't > necessarily need access to the internal systems but some of the machines > will need to talk to internal servers so I assume at some point we will > need a trust relationship. My question is simply what am I missing and > has anyone done similar setups? > > > Holland + Knight > > Travis Abrams MCSE, GCIH > Systems Engineer > Holland & Knight LLP > > NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), > and is intended solely for the use of the individual(s) to whom it is > addressed. If you believe you received this e-mail in error, please > notify the sender immediately, delete the e-mail from your computer and > do not copy or disclose it to anyone else. If you are not an existing > client of H&K, do not construe anything in this e-mail to make you a > client unless it contains a specific statement to that effect and do not > disclose anything to H&K in reply that you expect it to hold in > confidence. If you properly received this e-mail as a client, > co-counsel or retained expert of H&K, you should maintain its contents > in confidence in order to preserve the attorney-client or work product > privilege that may be available to protect confidentiality. > > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
Thanks to everyone for the feedback. The tip on selective authentication is very interesting. I still plan to use the forest concept but I do appreciate the ideas. Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
Return Receipt Your RE: [ActiveDir] Extranet's document : was Justin Leney/US/DCI received by: at: 10/26/2004 08:42:44 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
I have found TS to be quite useful for external access to internal resources. Yes, a pain to setup at times etc and we are not using it for anything complex but I have created specific usernames and passwords for specific actions / access to specific resources. Under the Environment Tab I tick "Start the following program at logon" and enter the relevant details. When the account is used only the application loads and you get no desktop. As soon as the application is closed the TS session terminates. Maybe not the best way to do things but for our purposes it keeps users without a desktop and giving them only access to the application required. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Tuesday, 26 October 2004 1:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's Good points, although for giving external users access to internal resources I think Terminal Services is a bad idea if you are concerned enough about security to be looking into a separate forest for your Extranet. Citrix has much more flexibilty for giving access to internal resources in a setup like this by using published applications and not a published desktop. This allows you to lock the user down much better and limit them to only being able to run the application and never getting to see a desktop. Still not as secure as not having them login to your internal forest, but better than TS that gives a user a full desktop. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, October 25, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's Here are some sources to reference in your design process. http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Pla t_4.mspx Couple of points to Raise, 1. To support this infrastructure you will require DNS and Additional Hardware. Make sure you provision accordingly. 2. You need to decide if there needs to be TRUST involved. Make sure you plan for IPSEC to make the trust more secure. 3. You should monitor the extra-net for availability, and also audit it heavily and use restrictive security policies to enforce compliance. 4. If your goal is to give external users access to internal application, you might investigate Terminal Services and user accounts with more restrictive settings. 5. If you only need a LDAP for authentication, look into using ADAM and third party SSO's. Less infrastructure requirements. 6. Remember to patch, patch, patch. Good Luck Todd From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 12:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's yep, done it several times this way - at least for the users. Depending on how your machines need to talk to the internal servers, you might not even need to setup a trust. But if you don't get around it, you could still limit it's reach using selective authentication. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 25, 2004 2:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extranet's We are looking at redesigning our extranet and are considering a separate forest for the extranet users and eventually most of the resources needed for the extranet will be put into that forest. My thinking is that since a domain isn't a true security boundary and it really won't cost us more to bring up a forest vs. domain why not go with a separate forest. The users in the extranet forest won't necessarily need access to the internal systems but some of the machines will need to talk to internal servers so I assume at some point we will need a trust relationship. My question is simply what am I missing and has anyone done similar setups? Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect c
RE: [ActiveDir] Extranet's
Good points, although for giving external users access to internal resources I think Terminal Services is a bad idea if you are concerned enough about security to be looking into a separate forest for your Extranet. Citrix has much more flexibilty for giving access to internal resources in a setup like this by using published applications and not a published desktop. This allows you to lock the user down much better and limit them to only being able to run the application and never getting to see a desktop. Still not as secure as not having them login to your internal forest, but better than TS that gives a user a full desktop. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, October 25, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's Here are some sources to reference in your design process. http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Pla t_4.mspx Couple of points to Raise, 1. To support this infrastructure you will require DNS and Additional Hardware. Make sure you provision accordingly. 2. You need to decide if there needs to be TRUST involved. Make sure you plan for IPSEC to make the trust more secure. 3. You should monitor the extra-net for availability, and also audit it heavily and use restrictive security policies to enforce compliance. 4. If your goal is to give external users access to internal application, you might investigate Terminal Services and user accounts with more restrictive settings. 5. If you only need a LDAP for authentication, look into using ADAM and third party SSO's. Less infrastructure requirements. 6. Remember to patch, patch, patch. Good Luck Todd From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 12:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's yep, done it several times this way - at least for the users. Depending on how your machines need to talk to the internal servers, you might not even need to setup a trust. But if you don't get around it, you could still limit it's reach using selective authentication. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 25, 2004 2:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extranet's We are looking at redesigning our extranet and are considering a separate forest for the extranet users and eventually most of the resources needed for the extranet will be put into that forest. My thinking is that since a domain isn't a true security boundary and it really won't cost us more to bring up a forest vs. domain why not go with a separate forest. The users in the extranet forest won't necessarily need access to the internal systems but some of the machines will need to talk to internal servers so I assume at some point we will need a trust relationship. My question is simply what am I missing and has anyone done similar setups? Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extranet's
Title: [ActiveDir] Trusting Domain SIDs Here are some sources to reference in your design process. http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Plat_4.mspx Couple of points to Raise, To support this infrastructure you will require DNS and Additional Hardware. Make sure you provision accordingly. You need to decide if there needs to be TRUST involved. Make sure you plan for IPSEC to make the trust more secure. You should monitor the extra-net for availability, and also audit it heavily and use restrictive security policies to enforce compliance. If your goal is to give external users access to internal application, you might investigate Terminal Services and user accounts with more restrictive settings. If you only need a LDAP for authentication, look into using ADAM and third party SSO’s. Less infrastructure requirements. Remember to patch, patch, patch. Good Luck…. Todd From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 12:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's yep, done it several times this way - at least for the users. Depending on how your machines need to talk to the internal servers, you might not even need to setup a trust. But if you don't get around it, you could still limit it's reach using selective authentication. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 25, 2004 2:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extranet's We are looking at redesigning our extranet and are considering a separate forest for the extranet users and eventually most of the resources needed for the extranet will be put into that forest. My thinking is that since a domain isn't a true security boundary and it really won't cost us more to bring up a forest vs. domain why not go with a separate forest. The users in the extranet forest won't necessarily need access to the internal systems but some of the machines will need to talk to internal servers so I assume at some point we will need a trust relationship. My question is simply what am I missing and has anyone done similar setups? Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality.
RE: [ActiveDir] Extranet's
Title: [ActiveDir] Trusting Domain SIDs yep, done it several times this way - at least for the users. Depending on how your machines need to talk to the internal servers, you might not even need to setup a trust. But if you don't get around it, you could still limit it's reach using selective authentication. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 25, 2004 2:57 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Extranet's We are looking at redesigning our extranet and are considering a separate forest for the extranet users and eventually most of the resources needed for the extranet will be put into that forest. My thinking is that since a domain isn't a true security boundary and it really won't cost us more to bring up a forest vs. domain why not go with a separate forest. The users in the extranet forest won't necessarily need access to the internal systems but some of the machines will need to talk to internal servers so I assume at some point we will need a trust relationship. My question is simply what am I missing and has anyone done similar setups? Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP NOTICE: This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality.