mailing list archives
RE: AD Child Domains
From: "Sheldon Malm" <smalm () ncircle com>
Date: Thu, 24 Apr 2008 06:34:38 -0700
Raoul: this should be negotiated at the political level before
scrambling to find a technical solution. There is nothing particularly
"strict" about PCI's password guidelines. It's clear that PCI is enough
of a driver in your organization to have sparked this discussion (which
is good), however PCI is focused primarily on protecting cardholder
data. The PCI DSS as written today is not a draconian Security
My best advice before you complicate your AD environment would be to
make sure that standard password enforcement is absolutely out of the
question. Given the huge increase in client-side attacks over the last
18 months, it is in your organization's best interest to get these users
out of the dark ages. You're not forcing the use of SecureID tokens
here - this is standard 21st Century common sense. This sounds like an
education and socialization question; not a technical one.
My 2 cents.
Security Research & Development
nCircle Network Security
Check out the VERT daily post
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Raoul Armfield
Sent: Wednesday, April 23, 2008 2:43 PM
To: security-basics () securityfocus com
Subject: AD Child Domains
We are in the process of making a modification to our AD structure. For
PCI compliance we need to segregate a portion of our users to a separate
domain. This set of users do not need/want (and are very vocal about
it) to follow the stricter password policy that PCI mandates.
I understand that when you create a child domain it by default creates a
two-way transitive trust between the two domains. Is it possible to
limit this trust relationship to a one-way trust relationship? If this
is possible it seems to me that it may be preferable to creating a new
forest just for a couple of hundred users.
Of course it is entirely possible that I am not thinking this through
completely and am missing some important factors to consider. Your
thoughts would be greatly appreciated.