Security Basics mailing list archives

Re: Microsoft Active Directory security concerns

From: simonis () myself com
Date: 15 Jun 2006 15:25:35 -0000

Couldn't the annoyance to internal users be eliminated in a multi-forest situation be eliminated by having a one way 
trust where the external forest trusted the internal?  That way, internal users could use their accounts, but external 
users would not have any rights on the internal domains?  

As it is, if the only thing that segmetns external and internal is an OU, then these users have inherent rights within 
the domain unless otherwise explicitly blocked.  Say, you could block all login rights to the other OUs via GP, but 
that would be tedious and error prone.  This would be easier to do with at least a new domain in the same forest.  
Domains in the same forest, unless I am mistaken, have an automatic trust.  You could block access to internal domain 
resources for external users in the default domain policy (deny rights to external domain authenticated users) which 
would be more simple.  

But, I'd still prefer a unique forest.  

-Ds

Current thread:

Microsoft Active Directory security concerns DHegenbarth (Jun 13)
- Re: Microsoft Active Directory security concerns Saqib Ali (Jun 13)
- RE: Microsoft Active Directory security concerns Jason Dinsdale (Jun 27)
- <Possible follow-ups>
- re: Microsoft Active Directory security concerns T Dog (Jun 13)
- RE: Microsoft Active Directory security concerns Robertson, Seth (JSC-IM) (Jun 13)
- RE: Microsoft Active Directory security concerns Ramsdell, Scott (Jun 13)
  - RE: Microsoft Active Directory security concerns Depp, Dennis M. (Jun 14)
- Re: re: Microsoft Active Directory security concerns adam . dawson (Jun 14)
- Re: Microsoft Active Directory security concerns simonis (Jun 15)