If I am not mistaken, you can setup any account to require smart card
authentication. So you could require smartcards for admin accounts but
not normal users. This should not requireany special forest/domain
comfigurations.
Dennis
-----Original Message-----
From: Nick Owen [mailto:nickowen_at_mindspring.com]
Sent: Thursday, March 03, 2005 7:39 PM
To: security-basics_at_securityfocus.com
Cc: Depp, Dennis M.; 'Leon North'
Subject: Separating authentication and authorization for admins was: RE:
AD across both DMZ & LAN
Seeing this post reminded me of a question I was noodling:
Would it be possible to require strong authentication for any
administrators and/or admin actions (such as running an MMC) on the
LAN/WAN, but not require two-factor for non-admin logins?
One thought that I had (or google had) was to configure multiple forest
or domains. One had only users and one had only admins. Then could you
configure trusts and GPOs in such a way that admin actions were proxied
through ISA and routed via radius to a strong authentication server (as
you can do with remote access)? Perhaps convoluted, but you can imagine
that it would be great to have admin actions locked down with two-factor
authentication on a large LAN/WAN. It seems to make sense, but I don't
have near the windows experience to answer it.
TIA,
Nick
> -----Original Message-----
> From: Depp, Dennis M. [mailto:deppdm_at_ornl.gov]
> Sent: Tuesday, March 01, 2005 1:03 PM
> To: Leon North; security-basics_at_securityfocus.com
> Subject: RE: AD across both DMZ & LAN
>
>
> Leon,
>
> 1. Yes this is possible. You will want to setup two forests
> and create a one way trust between the two forests. (or
> between two domains in the
> forest.)
> 2. While not ideal, I think it is an acceptable approach.
> However, your management will have to decide if the risk is
> worth the cost savings. 3. You should be able to configure
> loopback processing of GPOs on the Citrix server. This will
> allow you to define a separate user profile when they log
> onto the Citrix server.
>
> Denny
>
>
> -----Original Message-----
> From: Leon North [mailto:leon_nc_at_linuxmail.org]
> Sent: Tuesday, March 01, 2005 10:20 AM
> To: security-basics_at_securityfocus.com
> Subject: AD across both DMZ & LAN
>
> Hi,
>
> We currently have an NT4 domain in the DMZ and an unrelated
> NT4 domain internally. The DMZ domain contains a server
> running citrix, and is used for internet web browsing/email,
> so that we only have to allow the citrix connection through
> the FW to the LAN & no internal users can directly access the
> internet from their PC's.
>
> As part of an upgrade to Active Directory (both domains
> Win2k3), we would like to get the DMZ to trust the internal
> domain, so that we only have one set of user accounts to
> manage. But I am not sure about a couple of things with this setup-
>
> 1. Will this work like this, so that we only need 1 user
> account per user instead of a seperate one externally to
> internally? (excuse the vagueness of the question)
>
> 2. If so, is that (not ideal I know but) an acceptable
> approach security wise, when the DMZ DC can access the
> accounts on the internal domain?
>
> 3. Can we configure it somehow so that the user gets a
> different profile when logging in to the DMZ only? I ask that
> because one potential issue I see is getting a virus
> infection into user profile while logged into the DMZ, then
> logging into an internal server.
>
> Thanks for any help.
>
> Leon
> --
> ______________________________________________
> Check out the latest SMS services @ http://www.linuxmail.org
> This allows you to send and receive SMS through your mailbox.
>
>
> Powered by Outblaze
--
Nick Owen
CEO
WiKID Systems, Inc.
http://www.wikidsystems.com
At last, Two Factor Authentication, Without the Expense Factor
--
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 3/2/2005
Received on Mar 04 2005
Intro
