Re: Security in AD
- From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
- Date: Mon, 5 Feb 2007 15:58:51 -0000
From a security point of view, what do I need to consider if I have a
number
of external companies using a shared AD ? I assume they'll go into
seperate OU's, but what security do I need in place to stop them viewing
anything they shouldn't?
You don't really want to do this. AD isn't designed to run multiple private
infrastructures. Also a given machine can only be a member of one domain,
so adding managed servers to this management domain will remove them from
their actual domain. This isn't a good idea.
From a networking point of view, is there anything I can do to stop the
huge
number of ports needed between a server and a domain controller?
Yes, you can use end-to-end IPSec, which means that all traffic is
encapsulated in an IPSec packet. This brings its own problems however, as
you cannot inspect those packets.
What attacks can happen using these open ports?
what tools available exploit these open ports?
That depends. Basically, having all those ports open is like being on a
LAN. The attacks are limited to what an attacker could do if he/ she were
on your LAN. There's all kinds of stuff the attacker could do.
How do you guys go about hardening your AD infrastructure?
That's different. We do this for our own infrastructure, which is a
completely different set of requirements.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- Follow-Ups:
- Re: Security in AD
- From: eLINIA
- Re: Security in AD
- Prev by Date: Re: Windows R2 - Delete Active Directory Schema-Objects
- Next by Date: Re: ADAM Unattended installation
- Previous by thread: Re: adprep.exe
- Next by thread: Re: Security in AD
- Index(es):
Relevant Pages
|
Loading
