RE: [ActiveDir] Extranet's

[Myrick, Todd (NIH/CIT)]

Title: [ActiveDir] Trusting Domain SIDs

Here are some sources to reference in your design process.   http://www.microsoft.com/technet/security/topics/identity/idmanage/P1Plat_4.mspx   Couple of points to Raise,   To support this infrastructure you will require DNS and Additional Hardware.  Make sure you provision accordingly. You need to decide if there needs to be TRUST involved.  Make sure you plan for IPSEC to make the trust more secure. You should monitor the extra-net for availability, and also audit it heavily and use restrictive security policies to enforce compliance. If your goal is to give external users access to internal application, you might investigate Terminal Services and user accounts with more restrictive settings. If you only need a LDAP for authentication, look into using ADAM and third party SSO’s.  Less infrastructure requirements. Remember to patch, patch, patch.   Good Luck….   Todd     From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Monday, October 25, 2004 12:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extranet's   yep, done it several times this way - at least for the users. Depending on how your machines need to talk to the internal servers, you might not even need to setup a trust. But if you don't get around it, you could still limit it's reach using selective authentication.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 25, 2004 2:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extranet's We are looking at redesigning our extranet and are considering a separate forest for the extranet users and eventually most of the resources needed for the extranet will be put into that forest. My thinking is that since a domain isn't a true security boundary and it really won't cost us more to bring up a forest vs. domain why not go with a separate forest. The users in the extranet forest won't necessarily need access to the internal systems but some of the machines will need to talk to internal servers so I assume at some point we will need a trust relationship.  My question is simply what am I missing and has anyone done similar setups?   Holland + Knight   Travis Abrams MCSE, GCIH Systems Engineer Holland & Knight LLP   NOTICE:  This e-mail is from a law firm, Holland & Knight LLP ("H&K"), and is intended solely for the use of the individual(s) to whom it is addressed.  If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else.  If you are not an existing client of H&K, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to H&K in reply that you expect it to hold in confidence.  If you properly received this e-mail as a client, co-counsel or retained expert of H&K, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality.