I would pipe in and agree with Al, I don't really think, in most environments, that "external" users such as consultants are any more or less trustworthy than "internal" employees. When it comes down to it, you hired both of them off the street. Personally, everyone gets an AD account, but what they can do with it is constrained by such things a GPO's tied to Intellimirror that determine what apps they get, whether or not they receive accounts in other systems (controlled by MIIS, based on HR and other data), what VLAN their machines are assigned to etc. In short, their authorization is controlled by a lot of other factors that have little or nothing to do with AD.
Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, May 11, 2004 12:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Managing accounts for 'outsiders' That's a pretty common scenario in many types of business. We all do business with partners and have to face this at some point. Most businesses have since they started with EDI, but they security wasn't as high-profile as it is these days for many of them. To paraphrase the question, "how do you securely grant access to internal resources for non-employees (FTE's)? Do you use AD or some other way?" Unfortunately for this conversation I think the only accurate answer could be that it depends. If you work in a place where there is a risk that your administrative process could allow improper access to a resource, I would say you should "firewall" non-FTE access away from sensitive systems. If your process and policy can withstand the risk, then why not make it easier to manage for you and your staff? Active Directory is handling your Identification, Authentication, and Authorization for your internal employees and you are extending some level of trust to these others. Many shops don't use Active Directory for their Authorization, especially when it comes to web/intranet. Tends to be better products for that. Not a lot of better products for Identification and Authorization (many as good using the same technology for the most part; they don't tend to be as reliable from a topology standpoint) That said, if you don't use Active Directory for this access, what would you use instead? Would you store the identity in the AD and use something else for authentication and authorization? Would you create a totally separate IAA scheme to handle this? Is it worth it? My own personal belief is that contractors are under the exact same obligations as my FTE's and are no more trustworthy (nor less). I believe I have an obligation to provide them with the service and to make it as secure as I can, while keeping everything as simple and cost-effective as I can. I have no problems giving that kind of access via Active Directory as long as my account lifecycle management processes and systems are where they should be. I think it is critical to have these policies and enforcement mechanisms in place to ensure that access is only given where it belongs regardless of mistakes etc. Al -----Original Message----- From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 11:14 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Managing accounts for 'outsiders' I'm curious what y'all do with those situations where you have to manage credentials for 'outsiders' - in other words, users from some business partner, vendor, etc. who must have access to some resource in your company. For example, say you have some intranet web app that you make available on the Internet via ISA Server/reverse proxy. This works for employees, but soon some 'outsiders' (contractors, outsourced service providers) need to use it. Do you put them someplace in your existing AD so they can use the same proxy ? Do you set up an alternate way for them to get to the resource ? What steps do you take to ensure that those credentials are restricted to the resource you intend ? I'm a tad uncomfortable with people outside the organization running around with valid credentials to the internal NOS directory, but maybe that's just me. I realize it's a business decision, and that there's hopefully some level of trust in these individuals since they've been contracted to perform some service, but the more I can control it the better. Rants, flames, war stories are welcome (I can take it:). Even more welcome is some discussion of how you deal with external users in general, and specific steps you take to protect your AD from misuse by them. Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ =========================================================== Important: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. =========================================================== List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
