Not sure if this was mentioned by anyone - have you checked this out?
http://www.microsoft.com/windows2000/technologies/directory/AD/redir-adsegment.asp
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
| "Joe" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 10/18/2003 11:22 AM
|
To: <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network |
This is similar to the solution I was thinking of as well. It only costs you
a firewall and the full protection of a single machine. I wouldn't even give
full access to this box to production, it would allow HTTP access to it.
Someone checks a file in on the lab side, you check it out on the prod side.
Ditto but in reverse to get something from prod to dev.
I was just telling my team this this last week. You have a see-saw, on one
side is security, on the other is flexibility/useabilty. You need to decide
which side should be focused on. If you have to have the flexibility and
useability you have to sacrifice security. If you are sane, you choose
security and sacrifice flexibility and useability. Just because people are
used to having full access doesn't mean it should continue or that it makes
sense. It is something that has been pushed due to how MS trains admins and
Developers (MC* programs) and there own software and with how the
environment has evolved with third party stuff.
I know I beat on E2K a lot, but it is a great example of a poor directory
integrated poor security app. I recall when I got the instructions for how
to separate the administrators of Exchange and AD... I looked down the list,
you had multiple ways to do it. First was to give property sets and add a
bunch of deny's, the other was to add a bunch of individual grants. Either
way really goes against the recommendation of managing your directory
security well because it is confusing plus you don't want a bunch of ace's
on your objects. Additionally one of the attributes that was to be delegated
was the nTSecurityDescriptor... Heh Game over.
It is only recently that true security has started to become something that
less than a minority on Windows is becoming aware of. You know me, I have
always been paranoid about it. It is good to see the rest of the world
starting to show up at that party (though I ate all the peanuts and drank
all the beer already so BYOB).
Additionally, I think it is not only silly, not only dangerous, but outright
stupid to allow people to pull something directly from dev or the lab into
the production environment without some form of logged process in between.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bill Moran
Sent: Friday, October 17, 2003 3:01 PM
To: [EMAIL PROTECTED]
<SNIP>
Well, I still think you could work it out with an intermediate machine.
Just put a Server in between the two networks with two interfaces on it.
Load it up with all the virus protection you can find (most server-based
virus protection will check incomming and outgoing files as they are
up/downloaded) and keep the machine updated with all patches/etc.
Then set it up so the only way to get files from production to lab is to
copy them on to this server first. It's a little annoying for the people
copying the files ("Damn ... I forgot to copy this to the transfer server
from the
lab") but I would say that this is where you've got to draw the line if you
want have any level of safety/protection whatsoever.
<SNIP>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
