Home page logo

basics logo Security Basics mailing list archives

Re: Windows Active Directory Domains
From: Kurt Buff <kurt.buff () gmail com>
Date: Mon, 14 Jul 2014 07:23:54 -0700

Going bankrupt because of regulatory fines (or just paying a big fine)
vs. going bankrupt (or losing lots of money) because of theft of IP or
hacked bank accounts isn't much of a choice. They both are outcomes to
be avoided by exercising due care. One might argue that the
possibility of jail time because of HIPAA provisions or other laws
might provide extra incentive, but I haven't seen much of those kinds
of penalties - yet. And, if you can achieve the same level of security
without the complexity of extra configuration, or the expense of extra
staff, then your course is pretty clear.


On Mon, Jul 14, 2014 at 7:12 AM, Mikhail A. Utin
<mutin () commonwealthcare org> wrote:
Quote: HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the 
intellectual property and/or financial data and/or business processes require pretty much an equal level of care.

Not really right as HR deals with personal identifiable information. See, for instance US MA 201 CMR 17.00, or 
similar. PI, i.e. legally protected personal information, is at least one record having any number (like SSN or a 
license) and full name. HR has a plenty of such information.

In any case when you think of protecting data, you need to clarify if any compliance is required. If do, then you 
need to check the regulation(s) what it exactly requires. You may build up numerous expensive and technically correct 
solutions, but in a case of something goes wrong and protected (in legal context) data is acquired, your incompliance 
will be considered first and your efforts as secondary.

I would remind that there are two parts in information security - legal (including compliance) and technical. First 
is more important as relates to the business directly. If there is no such matter of a compliance in your 
organization (there is no federal, state, local, industry regulation), then you are lucky person and have free hands.


Mikhail Utin, CISSP

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kurt Buff
Sent: Wednesday, July 09, 2014 10:22 AM
To: security-basics () securityfocus com
Subject: Re: Windows Active Directory Domains

Some questions:

Who administers the firewalls separating the HR domain from the other domain?
Do the firewall admins also administer either domain?
Are the firewalls between domains even more restrictive of web browsing and other online activity for HR than for the 
other staff?
Who administers the HR domain, and why are they more trusted than those who administer the larger domain?

As you probably gather, the situation seems (to me) fraught with redundancy and possibility for error. HR data isn't 
so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property 
and/or financial data and/or business processes require pretty much an equal level of care.


On Tue, Jul 8, 2014 at 1:48 PM,  <joeb1kenobe () gmail com> wrote:
I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.

We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD 
Forest/Domain for their HR Users that is behind a firewall.

The claim is that the separate forests with a one way trust provides the necessary security to protect the HR 

My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for 
the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed 
protection of HR files.

Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen 
similar situations.


Joe Brown

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]