Hi Gil, >> Put your fingers on the table! Slap! ;-) [3] Yes - sorry - >> |I'm german >> ;-)
> It sounds more like you're a Catholic nun! Big belly, big feet, trolling around slowly on the ms campus when we met - I can see that I appeared to you as penguin ;-) > BTW, ich bin halb-deutsch. Mein mutter ist aus Berlin. Cool, and impressive. Most people in the US which are x% of some nationality don't know the language. To bad I didn't know, would have been easier to speak more fluently ;-) Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Tuesday, October 18, 2005 7:00 PM |To: [email protected] |Subject: RE: [ActiveDir] Global Catalog | |Hi Ulf, | |Nice to have met you too.. | |>>Put your fingers on the table! Slap! ;-) [3] Yes - sorry - |I'm german |>>;-) | |It sounds more like you're a Catholic nun! | |We're pretty much in agreement. The real answer (as it always seems to |be) is to analyze the threats, assess the risks, and make the |appropriate cost/benefit tradeoffs of risk vs. mitigation. |Multiple forests increase costs but provide more isolation. Do |the costs outweigh the benefits? It all depends on the |particular organization. | |BTW, ich bin halb-deutsch. Mein mutter ist aus Berlin. | |-g | | |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, October 17, 2005 11:20 PM |To: [email protected] |Subject: RE: [ActiveDir] Global Catalog | |Hi Gil, | |(btw - was nice meeting you finally in person) | |You're right, that might be a better wording. However I didn't |mean that I do not agree that the forest is the security |boundary, however I do not like people using that term without |being more specific. This will lead customers who are not |enough into details to deploy multiple forests in scenarious |where multiple domains (if even that) would have been sufficient. |Keeping |viruses, malware, and the regular "I'm admin - so let's surf the web" |aside. |Companies who might trust their admins but have to many users |to trust each of them might deploy multiple forests b/c they |are afraid that users might try to (hack/)try to get into |other domains. However case like this it _might_ be overrated |to deploy different forest, cause it's way harder for a |regular user to get into another domain (and to valuable data |there) than it is for a admin, the scenario is more difficult |to administer (which might lead to loosened security and/or |more admins you'll have to trust) and the phyiscal security |might not be in place to justify such a scenario (the users |might still hop around in the same building without |distinguished building security[1] or network boundaries[2]). | |I do not think that all domain admin threads are in the |non-malicious category, and I don't think that forests |shouldn't be mentioned as security boundary, however I think |if you do mention that you also need to clarify against which |threads you're deploying additional forests and what also |needs to be applied in the company if you need that level of |security for certain parts. In many cases a proper investment |into security is better placed by drilling security into the |heads of the admins (you're surfing the web as admin? Put your |fingers on the table! Slap! ;-) [3] ) than deploying multiple |forests without taking additional measures and wrongly believe |it's buying you 100% security. | |Ulf | |[1] meaning that people having access to forest A only |shouldn't have physical access to any machines in the office |running in forest B and vice versa | |[2] different wires, VLANs, or a generic network with people |VPNing into their infrastructure. I don't trust our friends |aka "the unintentional fighter against security" aka devs. |There are somewhere passwords on the wire in almost every |network, and this thread is dependant on your number of |in-house developed apps IMHO. | |[3] Yes - sorry - I'm german ;-) | ||-----Original Message----- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Gil ||Kirkpatrick ||Sent: Tuesday, October 18, 2005 1:56 AM ||To: [email protected] ||Subject: RE: [ActiveDir] Global Catalog || ||I think it is better to describe a domain as a policy and ||administration boundary (and a replication boundary), rather than a ||weak security boundary. It is more precise, and IMO, given the ||automatic domain trusts in a forest, there is not much of a security ||boundary between domains. || ||And given the ease with which malware is distributed (through |email and ||web pages for instance), the distinction between "criminal" and ||"unintentional" is thin, if not non-existent. ||People with criminal intent subvert administrative machines and ||accounts all the time. So even if you think your domain admin threats ||are all in the non-malicious category (not a smart way to |think in any ||case), once the domain admin is exposed to some malware |script, they've ||effectively taken on the criminal intent. || ||-gil || ||-----Original Message----- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. ||Simon-Weidner ||Sent: Monday, October 17, 2005 3:14 PM ||To: [email protected] ||Subject: RE: [ActiveDir] Global Catalog || |||So why don't you agree with the "general - forest is the security |||boundary - statement"? || ||Cause IMHO the domain is a security boundary against accidential ||security issues, the forest against malicious/criminal. || ||Companies usually trust their admins of different domains but might ||want to protect them against accidential mistakes or gaining rights ||easily. A different domain would be sufficient then. However if you ||want to protect yourself against admins with criminal energy (and I ||consider manipulating SID-History on purpose as criminal energy) the ||forest is the security boundary. || ||So I agree a plain vanilla statement "the domain is the security ||boundary" ||is wrong, however I don't like the same plain vanilla |statement of the ||forest - should be more clearly pointed out if we are talking about ||criminal intentions or accidential intentions (which includes |let's try ||quickly if we are able to ... - does not include hacking). || ||Ulf || |||-----Original Message----- |||From: [EMAIL PROTECTED] |||[mailto:[EMAIL PROTECTED] On Behalf Of ||Almeida Pinto, |||Jorge de |||Sent: Monday, October 17, 2005 11:59 PM |||To: [email protected]; [email protected] |||Subject: RE: [ActiveDir] Global Catalog ||| |||Well, I call it that way because a user can authenticate with ||only DCs |||from its domain available (assuming the requirement for a GC is |||disabled) but cannot authenticate without a DC from its domain while |||having a GC available. You are correct that any GC in the ||forest may be |||used if the GC requirement is enabled (by default) or even use the |||crappy "universal group caching feature". So you need a DC from your |||domain to authenticate and that is why a domain is called the |||authentication boundary (at least for me ;-) ) ||| |||So why don't you agree with the "general - forest is the security |||boundary - statement"? |||Jorge ||| |||________________________________ ||| |||From: [EMAIL PROTECTED] on behalf of Ulf B. |||Simon-Weidner |||Sent: Mon 10/17/2005 11:24 PM |||To: [email protected] |||Subject: RE: [ActiveDir] Global Catalog ||| ||| ||| |||Hmm - I wouldn't 100% call the domain the authentication "boundary". ||| |||Authentication in a W2k+ Network without any mods not to rely ||on the GC |||is done - as you said - via DC of the same domain the |account resides |||plus any GC of the forest - not necessarily that a GC which ||resides in |||the same domain is available but the logon will work. ||| |||Ulf "I also don't agree with the general 'Forest is the security |||boundary'-statement" B. Simon-Weidner ||| ||||-----Original Message----- ||||From: [EMAIL PROTECTED] ||||[mailto:[EMAIL PROTECTED] On Behalf Of |||Almeida Pinto, ||||Jorge de ||||Sent: Monday, October 17, 2005 6:47 PM ||||To: [email protected]; [email protected] ||||Subject: RE: [ActiveDir] Global Catalog |||| ||||Yes you are correct. The answer is No. A domain within a |||forest is the ||||authentication boundary. So when all DCs of domain "other.biz" are ||||unavailable the users from "other.biz" ||||will not be able to log on as there is no DC available to |||authenticate ||||the user at logon and create the access token. ||||During logon a GC is contacted to check if universal group |||memberships ||||exist for the user account logging on. |||| ||||Jorge |||| ||||________________________________ |||| ||||From: [EMAIL PROTECTED] on behalf of Pete ||||Sent: Mon 10/17/2005 5:57 PM ||||To: [email protected] ||||Subject: [ActiveDir] Global Catalog |||| |||| |||| ||||Hi |||| ||||Just a quick and easy question to profs: |||| ||||Can AD domain controller of one domain (one.com) with |Global Catalog ||||function enabled somehow process logon request of user from ||different ||||domain (other.biz), in case when all domain controllers for |||that other ||||domain (other.biz) are not reachable? |||| ||||I believe - no. ||||Am I right? |||| ||||Thanks, |||| ||||Pete |||| |||| ||||-- ||||Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/ ||||List info : http://www.activedir.org/List.aspx ||||List FAQ : http://www.activedir.org/ListFAQ.aspx ||||List archive: ||||http://www.mail-archive.com/activedir%40mail.activedir.org/ |||| |||| |||| |||| ||||This e-mail and any attachment is for authorised use by the intended ||||recipient(s) only. It may contain proprietary material, |confidential ||||information and/or be subject to legal privilege. It should not be ||||copied, disclosed to, retained or used by, any other party. |||If you are ||||not an intended recipient then please promptly delete this ||e-mail and ||||any attachment and all copies and inform the sender. Thank you. ||||List info : http://www.activedir.org/List.aspx ||||List FAQ : http://www.activedir.org/ListFAQ.aspx ||||List archive: ||||http://www.mail-archive.com/activedir%40mail.activedir.org/ |||| ||| ||| |||List info : http://www.activedir.org/List.aspx |||List FAQ : http://www.activedir.org/ListFAQ.aspx |||List archive: |||http://www.mail-archive.com/activedir%40mail.activedir.org/ ||| ||| |||List info : http://www.activedir.org/List.aspx |||List FAQ : http://www.activedir.org/ListFAQ.aspx |||List archive: |||http://www.mail-archive.com/activedir%40mail.activedir.org/ ||| || || ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
