Re: AD Domain Trust is unsafe!
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 9 May 2008 09:11:27 -0500
I will say that ADFS IS a good solution for doing some types of integration
across security realm boundaries, but currently it only supports web
applications, so it cannot be used to satisfy all situations. It is also
more effort to set up than a simple trust.
SharePoint does support ADFS well, but there would be additional complexity
with getting SharePoint integrated with ADFS if all of the other forests
using it now are already integrated via Windows security.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23%23kpuSdsIHA.420@xxxxxxxxxxxxxxxxxxxxxxx
Security boundaries are defined by the AD forest, once a trust is
established there are certain inherent risks. I don't know what you folks
are trying to protect from one another nor understand your topology. It
would be hard for anyone w/o understanding your enterprise to be able to
tell you whether or not you are taking risks with the trust. I don't
believe the company is concerned about external people gaining access to
your system, but the largest source of risk to companies is actually
internal hacking I do believe though, if there is a one way trust where
you are trusting them, their risk is very minimal.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"BBNBQ" <BBNBQ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5F97668C-FBC6-4880-A180-2010D40825EC@xxxxxxxxxxxxxxxx
Hi.
We are facing a situation with a particular subsidiary company. We have a
sort of a resource Forest with a centralized Sharepoint Server. We
requested
each subsidiary to create a one-way AD trust with the resource forest in
order to authenticate their users on the site.
All but one subsidiary is giving us problems. Mostly because they
semi-outsource many aspects of their IT operations including security;
and
the oursourcing company is worried about any breaches that it might be
accountable for.
The main concern it seems is with opening the RPC ports; but all we need
is
for them to open up one of their domain controllers to the resource
forest
DCs and some servers and apply a registry setting that fixes the AD RPC
port.
Still, they won't budge and instead had us implement ADFS.
We have implemented ADFS ok and they can authenticate, but we are having
issues with ADFS and MOSS user profiles. And I would like them to get
onboard
with the AD Trust.
In their recent response, they claim:
1- ADFS is the world wide accepted method for connecting companies to
exchange information over the Internet.
** But we have a private link that doesn't go through the Internet and is
protected by firewalls!
2-They calim their security policy does not allow using AD trust becuse
is
it not safe and can facilitate the hacking of their data?!!
3-They also claim that Microsoft recommended we standardize on ADFS for
authenticating all of our subsidiaries instead of AD trust!! (I will have
to
investigate with the local MS reps)
So, my question is, if we are all companies under the same umbrella and a
reasonable amount of trust/security policies can be agreed on, then would
an
AD Trust (one-way at that!!) be considered that un-safe?
.
- References:
- AD Domain Trust is unsafe!
- From: BBNBQ
- Re: AD Domain Trust is unsafe!
- From: Paul Bergson [MVP-DS]
- AD Domain Trust is unsafe!
- Prev by Date: Re: 2003 Forest Trust Issues - Please Help
- Next by Date: Re: GPO question after using rendom.exe
- Previous by thread: Re: AD Domain Trust is unsafe!
- Next by thread: Re: AD Domain Trust is unsafe!
- Index(es):
Relevant Pages
|
