Home page logo

basics logo Security Basics mailing list archives

Re: AD Child Domains
From: pinowudi <pinowudi () gmail com>
Date: Thu, 24 Apr 2008 06:39:29 -0400

PCI compliance objectives apply to everyone in an organization, not excluding a 'vocal minority' or anyone else. If they have a real argument for not conforming to the standards, they can present a business case that demands they not comply to complete some essential business function. The executive officer in charge of security (CTO/CIO/CFO) will have to make the call whether to bring them into compliance or accept the risk of having them in non-compliance. So long as your recommendations are clearly noted in the supporting documentation and email threads and the exception is documented in writing, it should not reflect poorly on you, but will show as an acceptance of known risk by the executive tribe. Then you can justify the cost of maintaining a separate AD structure for that function, or demonstrate the ROI of bringing them into the fold.

Raoul Armfield wrote:
We are in the process of making a modification to our AD structure. For PCI compliance we need to segregate a portion of our users to a separate domain. This set of users do not need/want (and are very vocal about it) to follow the stricter password policy that PCI mandates.

I understand that when you create a child domain it by default creates a two-way transitive trust between the two domains. Is it possible to limit this trust relationship to a one-way trust relationship? If this is possible it seems to me that it may be preferable to creating a new forest just for a couple of hundred users.

Of course it is entirely possible that I am not thinking this through completely and am missing some important factors to consider. Your thoughts would be greatly appreciated.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]