Hear, hear! -gil ________________________________
From: [EMAIL PROTECTED] on behalf of Deji Akomolafe Sent: Thu 1/6/2005 8:06 PM To: [email protected] Subject: RE: [ActiveDir] Forest trusts vs trusts within forests >>> by using selective authentication (SA). Which, in order words, means that SEPARATE FOREST does not in itself protect you from an internal "clever domain admin" in any of the domains/forest. Unless you go through the troubles SID filtering, SA, and other ACLing. And, even with all that in place, "a clever domain admin" will still be hard to keep out, especially if the admin is clever, malicious and determined at the same time. This goes to show that you don't want to have any "clever domain admin" that you can not completely trust in any part of your infrastructure. This, to me, is your most basic and effective protection. Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Sakari Kouti Sent: Thu 1/6/2005 1:42 PM To: [email protected] Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Hi David, In addition to SID filtering, you can protect a trust between domains in two forests (either a forest trust or an external trust) by using selective authentication (SA). SA is sometimes called authentication firewall, and the idea is that only listed users can access only listed servers across the trust (in addition to traditional share and NTFS permissions). If the new domain creates a new forest, its domain admins are not subject to the Enterprise Admins of the existing forest. This may or may not be of relevance to you. I'm not sure if I understand your last question, but a forest trust is only possible, if both forest are on the WS2003 FFL. Yours, Sakari > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Fugleberg, David A > Sent: Thursday, January 06, 2005 10:32 PM > To: [email protected] > Subject: [ActiveDir] Forest trusts vs trusts within forests > > Happy New Year ! > I'm having a design discussion with myself about adding a forest vs > adding a domain to an existing forest. I understand about > the automatic > transitive trust between domains in a forest, and how it's > possible for > a clever domain admin in a subdomain to compromise the entire forest. > What I'm shaky on is this: If you had two single-domain forests, and > established trusts in both directions between them, do you > have the same > issues ? I would think not, because the configuration and schema NCs > are not shared between them, but I'm looking for some confirmation on > that. Also, since we're talking about two single-domain forests, I'm > guessing that the 'forest trusts' available in W2K3 FFL don't really > come into play here, correct ? In other words, getting the > first domain > to W2K3 FFL doesn't buy anything with respect to this trust ? > > Thanks, > Dave > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
