RE: Microsoft Active Directory security concerns

["Jason Dinsdale" <jasondinsdale () gmail com>]

I would recommend taking a good long look at ADAM (AD Application Mode), a
free AD-derived LDAP server that is purpose-designed for this type of
scenario (directory-based extranet authentication).   I recently evaluated
ADAM as a migration option for one of our clients that uses an SSO product
with SunOne DS.  ADAM fared well in my evaluation, and I would recommend it
if you're an MS / AD shop.  Pertinent features are:

- ADAM is based on the AD code base.
- ADAM runs as a user service, not a system service.
- There is no dependence on infrastructure components like DCs,
domains/trees, DNS etc, and ADAM can be installed on Windows XP & 2003
hosts.
- ADAM leverages AD replication technology, but cannot replicate directly
with AD. However, it does have AD synchronisation tools available (AD<->ADAM
Synchronizer).
- ADAM has AD-like management tools, primarily CLI-based as well as
ADSI-Edit, and Schema plugins tailored for ADAM.  There is not any
equivalent to the AD MMC plugins however (think 'AD Users & Computers' etc).

My take on your scenario is - keep external & internal directories separate
as you are inclined to do.  My client has taken this approach, with internal
users stored in AD & external users in another directory (SunOne currently);
the SSO product they use is able to integrate both directories into it's
access management policy matrix and apply access & authentication using both
directories, all without either directory having knowledge or exposure to
each other.   Whilst separation of external & internal identities is clearly
desirable from a security standpoint, this may or may not fit with your
scenario;  if not then ADAM investigate the ADAM synchronizer.

HTH,

Jason 

-----Original Message-----
From: DHegenbarth () wrberkley com [mailto:DHegenbarth () wrberkley com] 
Sent: Wednesday, 14 June 2006 2:06 AM
To: security-basics () securityfocus com
Subject: Microsoft Active Directory security concerns

All,

I have spent most of my time in network security and IDS/IPS technology so
I'm fairly new to security pertaining to MS Active Directory.  We are being
asked to evaluate web portal authentication/authorization for users, most of
whom are not employees of our company.  Our NT group wants to add / maintain
users in an "external OU", in an existing domain, under our existing AD
forest.  I think this is a bad idea but I am not versed enough in AD to
argue the point.  Are there glaring issues with this strategy? My concern is
that if someone were to gain access to AD they might not only effect
external applications but internal production as well.

Are "external OU's" that secure?  Are there more secure authentication
schemes?


Any thoughts would be greatly appreciated.



Dave


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------