Re: Child Domain
- From: "Robert Moir" <robspamtrap+msnews@xxxxxxxxx>
- Date: Wed, 25 May 2005 09:58:09 +0100
Tim wrote:
> Thanks Robert.
>
> Right now, all student computers log in automatically with a generic
> account.
>
> The plans are to give students a login account (better way to track
> them\disable them) and give them an email address. The main idea was
> to keep the staff and students separated. The child domain was for
> security purposes. Now that you mention it is not secure, that will
> change things.
I wouldn't say that its insecure, just that its not a hard "security
boundary"; there remains a chance that a determined and experienced attacker
in one domain could leverage what they have in that domain to mount an
attack on the other domain/the whole forest.
How much of a threat are your students likely to be? The answer to that
question might show that the 2 domain design might be "secure enough". It
might even be "more secure than you need", only you can decide that of
course.
> If you care to volunteer any more info on the subject, I would really
> appreciate this.
Well the stuff on security boundaries is documented in Microsoft's AD design
stuff on their website, so rather than repeat that or drown you in links,
I'll offer up the fact that I too work in education, and have a multi-domain
AD. We've placed all our user accounts both staff and student, in one
domain, and not had any problems.
.
- References:
- Child Domain
- From: Tim
- Re: Child Domain
- From: Robert Moir
- Re: Child Domain
- From: Tim
- Child Domain
- Prev by Date: Re: Populating Attributes from SAP, or SQL.
- Next by Date: Problems with the DnsAvoidRegisterRecords registry key
- Previous by thread: Re: Child Domain
- Next by thread: MMC Snap-in access for out-of-domain machines
- Index(es):
Relevant Pages
|
