Given all of that, we're back to the two major tenets of security: 1) security is everyone's business and 2) only secure the things you really want to keep safe[1]
Outside of that, an argument can be made that a perimiter defense is yesterday's approach to security. A la keep out the bad guys and you won't have to worry about keeping tight security. As you can see from the many posts generated, security is not a product or a one-time pass at something. It's not the same as locking the door, painting it the same color as the wall and hoping that nobody realizes what's in there. Truth is, somebody will wonder why a doorknob is stuck in the middle of the wall and will open it and see your valuables. Comes back to giving access to resources secured by Active Directory. Do you grant access to external employees using Active Directory or not? I don't think that anyone that has an ID in my environment should be secured with a different environment. I should be able to get them to sign the same agreement or better as my FTE's and simplify my administration. I would of course want them more limited than some employees that are FTE's, but not by much. I would really want my FTE's to be just as limited as my contractor's. Kind of a different way to look at it. [1] in other words, know your assets and their worth, and protect them accordingly -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Managing accounts for 'outsiders' We classify 2 types of non-FTE's: Contractors and Consultants Contractors are, as you point out, in place of FTE's. They get our hardware, and more or less normal user access, just like FTE's. Consultants are required to supply their own hardware, and are physically segmented off our network, onto an Internet-only VLAN. In no case do we ever publish internal resources outside, without using some form of VPN access -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: joe [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 12, 2004 10:12 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Managing accounts for 'outsiders' > > I read this post and then I read the responses and think people are > seeing this different ways. So I will do my best to tie what I think > you may be asking together and opine a bit (as usual). > > There is the case of normal contractors that come in and do work, they > could be called agency employees for instance. Like myself, say I do > long term consulting for company X, I come in daily just like any full > time employee only I am expected to actually get work done. In this > case I would say the outside person should be treated like a normal > employee, you have of course locked down your HR and other systems > that should only be accessed by true-blue employees so giving them NOS > access is not only fine, but required for them to work and interact > with your real employees in any meaningful sense. > > As for the case of outside vendors who come in to support very special > or specific things. Depending on the scope and the interaction they > have to have with other internal employees I would give or not give > them access with leaning towards not. The larger your company the more > likely someone has added something to the forest or some trusting > domain that does not have proper security. You can say you are locking > people down to working only on specific servers but how confident are > you that that is truly the case. > Unless you have personally verified the security of every single > machine that trusts IDs from the NOS domain, you better not say you > are confident. > So outside of checking every machine what is your method of forcing > someone to only use a certain machine... If the answer is you specify > what machines they can logon to on the user object, go back to the > drawing board, you don't understand how authentication works in > Windows and how many different ways that can be bypassed. > > If you let me on your network unhindered with my own machine [1] and I > have a domain ID for your main authentication system I now have access > to look at every single machine and thing that allows authenticated > user access or everyone access. Again in a large company, you would be > shocked to find how much is open like that. A lot of admins do not > lock down file shares from allowing everyone / authenticated user > access. A lot of others will open things up the minute some issue > comes in that someone doesn't understand so they can get people to > stop screaming, many of those never go back and correct it. > > Every now and then if I had 3 or 4 spare minutes I used to just go to > network neighborhood and with a regular ID I would just start clicking > and diving down and I don't think there was but a very small handfull > of times I didn't randomly click my way into some share on some server > that I shouldn't have been able to get into. I found engineering > designs, I found performance reviews, I found MP3s and movies, heck > once I even found porn. I would always send a nice note to the admins > and then usually a global note saying, people - security doesn't > happen on its own. It didn't help. > > Your security is as good as your worst admin[2]. How good are your > admins? > Luckily you can contain that in buffer zones. You have a few domain > admins who have access to the big stuff, they should all be great. > You then have > lower level admins who are server admins, they should still be pretty > good. > You then have your lowest rung of admins which are workstation admins, > they should still be trustworthy but since you don't (or > shouldn't) be doing a > lot of workstation data sharing, don't have to be quite as up on > security and what the settings are on the machines (though it is still > a good idea if they are). > > So my response to your good question is... It depends. > > > joe > > > > [1] Or in fact, any machine that you do not control my actions on so > it could be your own machine. > > [2] This could also be used to point out why you shouldn't overload > your admins. An admin constantly running from one thing to the next is > less likely to be concerned about security than one who can take their > time to do things correctly. It is a matter of priorities and the > natural priority of anyone getting the crap kicked out of them every > day or constantly yelled at is to shut those people up in the quickest > way possible. > Whose fault is it > if an admin is that busy and not doing security correctly? I can tell > you if something gets compromised, I will bet money everyone in charge > will determine it is the admin's fault. Most companies don't think > very well especially when the management who caused the issue are the > ones trying to sort out the root cause of any failures surrounding it. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, > David A > Sent: Tuesday, May 11, 2004 11:14 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Managing accounts for 'outsiders' > > I'm curious what y'all do with those situations where you have to > manage credentials for 'outsiders' - in other words, users from some > business partner, vendor, etc. who must have access to some resource > in your company. > For example, say you have some intranet web app that you make > available on the Internet via ISA Server/reverse proxy. This works > for employees, but soon some 'outsiders' (contractors, outsourced > service > providers) need to > use it. > > Do you put them someplace in your existing AD so they can use the same > proxy ? Do you set up an alternate way for them to get to the > resource ? What steps do you take to ensure that those credentials > are restricted to the resource you intend ? > > I'm a tad uncomfortable with people outside the organization running > around with valid credentials to the internal NOS directory, but maybe > that's just me. I realize it's a business decision, and that there's > hopefully some level of trust in these individuals since they've been > contracted to perform some service, but the more I can control it the > better. > > Rants, flames, war stories are welcome (I can take it:). > Even more welcome > is some discussion of how you deal with external users in general, and > specific steps you take to protect your AD from misuse by them. > > Dave > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
