Re: External trusts between domains are there any risks?

The trust relationship you want is the wrong way round. You are asking the
more secure domain to trust the less secure domain. Lets say they have a
strict policy on password expiry, account deletion, group membership
approval, antivirus, patching etc, and lets say you don't, or they don't
know whether you do or not. Then when they allow your group
"AnyOldUsersWhoMayNotEvenBeHereAnyMoreAndMayHaveGivenTheirPasswordToTheCleaner"
they lose control of access.
When you join the domain, they control the users and computers again.
You could always put the data in your domain and enable the trust the other
way round. Then they won't care at all. As long as the owner of the data
does not mind.
Anthony

"Krusty" <krusty@xxxxxxxxxxxxxxx> wrote in message
news:D86B83F1-F858-4A82-848E-41DDB8FA3542@xxxxxxxxxxxxxxxx
Hi Joe,

Thanks for the Update,

I understand the implications of the trust, but surely if we migrate to
the
WIN2K domain the same security issues arise with access to open shares and
applications for authed users?

As both domains are in the same company and we will migrate to a single
domain i dont get why my win2k admins are having a fit over the
share.......

Thanks again...

Krusty

"Joe Richards [MVP]" wrote:

Yeah the W2K trusts you so it is the trusting and yes there are very
possible security issues there. Any shares or applications that are open
to authenticated users or everyone will be open to users from your
domain.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Krusty wrote:
Joe,
Thanks for the Info.

The trust is to allow the NT4 domain users to access limited resources
in
the WIN2k domai, this will be file shares on a single server.

So i think thats NT4 is the trusted and WIN2k is the trusting (?)

Krusty


"Joe Richards [MVP]" wrote:

Well you don't specify the direction of the trust which makes a
difference but either way there can be information disclosure risks.
In
one direction you can enumerate every account/computer a domain has,
in
the other you can access file shares and applications that depend on
Windows security that aren't properly secured.

If your plans are to join the W2K domain in the future, you will take
your queues from the admins of the W2K domain, that is how you will
get
in. So whatever mechanism they specify is what you will use.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Krusty wrote:
Question about using external trusts between domains?

I have a WIN2k and NT4 domains and need to have a one way trust setup
between the two. I am admin on the NT4 domain but not the Win2k
domian. The
WIN2k admin refuses to put the trust in place, they say this is due
to
security risks but refuse to identify or expand on exactly what these
are.
Can anyone enlighten me as to what the security risks are, and if it
would
cause issues if we were to migrate the NT4 domain to the Win2K domain
in the
near future?

Thanks In advance.
Krusty



.

Relevant Pages

  • Re: creating one way trust
    ... I'll start to move out the schema owner and domain role owner from the win2k ... For the trust, ... should i raise the Forest Functional Level or Domain functional level? ... My first DC in my domain is a win2k svr, ...
    (microsoft.public.windows.server.active_directory)
  • Re: External trusts between domains are there any risks?
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... You could always put the data in your domain and enable the trust the other way round. ... domain i dont get why my win2k admins are having a fit over the share....... ... I am admin on the NT4 domain but not the Win2k domian. ...
    (microsoft.public.windows.server.active_directory)
  • Re: External trusts between domains are there any risks?
    ... The trust is to allow the NT4 domain users to access limited resources in the WIN2k domai, this will be file shares on a single server. ... In one direction you can enumerate every account/computer a domain has, in the other you can access file shares and applications that depend on Windows security that aren't properly secured. ...
    (microsoft.public.windows.server.active_directory)
  • Re: External trusts between domains are there any risks?
    ... Well you don't specify the direction of the trust which makes a difference but either way there can be information disclosure risks. ... I have a WIN2k and NT4 domains and need to have a one way trust setup between the two. ... The WIN2k admin refuses to put the trust in place, they say this is due to security risks but refuse to identify or expand on exactly what these are. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Users unable to browse trusted domain
    ... If I go into server manager on the NT4 Domain Controller, ... This is since I created the trust to the 2003 Domain and migrated one ... you might not have permission to use this network ...
    (microsoft.public.windows.server.migration)
Loading