Re: External trusts between domains are there any risks?

Exactly.

It really is moot though, if you want to play in the W2K sandbox, you need to follow their rules. I had the same type of setup the last time I did ops for a company, I didn't create any new trusts, if you wanted to use the AD resources, you got accounts created in that environment and started using them. All of the 800 or so trusts that originally existed slowly got weeded out as we got people switched over. The only reason they had trusts was because they were already there when I started cleaning up.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Anthony wrote:
The trust relationship you want is the wrong way round. You are asking the more secure domain to trust the less secure domain. Lets say they have a strict policy on password expiry, account deletion, group membership approval, antivirus, patching etc, and lets say you don't, or they don't know whether you do or not. Then when they allow your group "AnyOldUsersWhoMayNotEvenBeHereAnyMoreAndMayHaveGivenTheirPasswordToTheCleaner" they lose control of access.
When you join the domain, they control the users and computers again.
You could always put the data in your domain and enable the trust the other way round. Then they won't care at all. As long as the owner of the data does not mind.
Anthony

"Krusty" <krusty@xxxxxxxxxxxxxxx> wrote in message news:D86B83F1-F858-4A82-848E-41DDB8FA3542@xxxxxxxxxxxxxxxx
Hi Joe,

Thanks for the Update,

I understand the implications of the trust, but surely if we migrate to the
WIN2K domain the same security issues arise with access to open shares and
applications for authed users?

As both domains are in the same company and we will migrate to a single
domain i dont get why my win2k admins are having a fit over the share.......

Thanks again...

Krusty

"Joe Richards [MVP]" wrote:

Yeah the W2K trusts you so it is the trusting and yes there are very
possible security issues there. Any shares or applications that are open
to authenticated users or everyone will be open to users from your domain.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Krusty wrote:
Joe,
Thanks for the Info.

The trust is to allow the NT4 domain users to access limited resources in
the WIN2k domai, this will be file shares on a single server.

So i think thats NT4 is the trusted and WIN2k is the trusting (?)

Krusty


"Joe Richards [MVP]" wrote:

Well you don't specify the direction of the trust which makes a
difference but either way there can be information disclosure risks. In
one direction you can enumerate every account/computer a domain has, in
the other you can access file shares and applications that depend on
Windows security that aren't properly secured.

If your plans are to join the W2K domain in the future, you will take
your queues from the admins of the W2K domain, that is how you will get
in. So whatever mechanism they specify is what you will use.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Krusty wrote:
Question about using external trusts between domains?

I have a WIN2k and NT4 domains and need to have a one way trust setup
between the two. I am admin on the NT4 domain but not the Win2k domian. The
WIN2k admin refuses to put the trust in place, they say this is due to
security risks but refuse to identify or expand on exactly what these are.
Can anyone enlighten me as to what the security risks are, and if it would
cause issues if we were to migrate the NT4 domain to the Win2K domain in the
near future?

Thanks In advance.
Krusty


.

Relevant Pages

  • Re: External trusts between domains are there any risks?
    ... The trust is to allow the NT4 domain users to access limited resources in the WIN2k domai, this will be file shares on a single server. ... In one direction you can enumerate every account/computer a domain has, in the other you can access file shares and applications that depend on Windows security that aren't properly secured. ...
    (microsoft.public.windows.server.active_directory)
  • Re: External trusts between domains are there any risks?
    ... The trust relationship you want is the wrong way round. ... domain i dont get why my win2k admins are having a fit over the ... Joe Richards Microsoft MVP Windows Server Directory Services ... I am admin on the NT4 domain but not the Win2k ...
    (microsoft.public.windows.server.active_directory)
  • Re: creating one way trust
    ... I'll start to move out the schema owner and domain role owner from the win2k ... For the trust, ... should i raise the Forest Functional Level or Domain functional level? ... My first DC in my domain is a win2k svr, ...
    (microsoft.public.windows.server.active_directory)
  • Re: External trusts between domains are there any risks?
    ... Well you don't specify the direction of the trust which makes a difference but either way there can be information disclosure risks. ... I have a WIN2k and NT4 domains and need to have a one way trust setup between the two. ... The WIN2k admin refuses to put the trust in place, they say this is due to security risks but refuse to identify or expand on exactly what these are. ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Snap-In to a non-trusted Domain
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ... "Run-as" does not seem to work as it is not a recognised user. ... I don't want them to do this over a Remote Desktop connectin and we want to avoid putting in a trust at all costs. ...
    (microsoft.public.windows.server.active_directory)