Re: Forest Trusts are backwards?

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Scott Davis (sdavis_at_esctech.ca)
Date: 09/26/04 

Date: Sun, 26 Sep 2004 12:47:10 -0400

Before we expound on the use of the word "trust" -- is opening up enough
ports to make the trust work intelligent..?

A DMZ is supposed to pass no security related data back and forth from
the "corporate" lan, in best practice.

I suggest that you might want to reconsider making a trust between the
DMZ and corporate security authorities in the first place..

.. because in my opinion, you're reducing the DMZ to just any other
subnet in this setup.

Sure, you can call it a DMZ and it'll make the VPs of technology at your
org happy -- but it's a false sense of security.

You're destroying the purpose and function of the DMZ, which is more
important than worrying about the semantics of which way "trust" goes, eh?

-- Scott.

Spin wrote:

> Gurus,
>
> Given two Windows Server 2003 forests.
>
> I originally created Forest A.
> Then I created Forest B, which sits in a DMZ.
> Both forests are in the same network infrastructure.
>
> I want Forest B in the DMZ to trust my original Forest A, but do not want
> Forest A to trust Forest B in case Forest B gets compromised.
>
> I created what I thought was correct, a one-way outgoing trust from Forest B
> pointing to Forest A. In Forest B, at the CTL+ALT+DEL logon box, I have the
> option to log into either Forest A or B. In Forest A, I only have the
> option to log into Forest A.
>
> Question #1) Shouldn't this be the other way around? In my situation B
> trusts A and I can log into either A or B from at any computer in Forest B.
> At any computer in Forest A, I can only log into Forest A.
> Question #2) In Forest B, once I make a connection to any computer in Forest
> A and specify a username and password, all subsequent connections to that
> computer do not prompt for a username and password. I do not want this
> behavior. I heard this was due to Credential Manager but I looked that up
> and it seems to apply only to Windows XP. Can some expert please un-confuse
> me?
>
> --
> Regards,
> Spin
>
>
>
> 

-- 
====================================================
Scott Davis,		45 Dunfield Av, Unit 2117
Self-Employed		Toronto, ON, Canada, M4S 2H4
Tech Consultant		Mobile. (416) 432-4334
The IP addrs I use to post all UseNet:
66.207.215.240/29
====================================================

Relevant Pages

  • Re: 2003 Domain / Child Domain
    ... How would this benefit over having a child domain? ... > configured as a child domain precisely because of the trust and security ... > separate forest; there is no automatic trust. ...
    (microsoft.public.windows.server.general)
  • Re: 2003 Domain / Child Domain
    ... How would this benefit over having a child domain? ... > configured as a child domain precisely because of the trust and security ... > separate forest; there is no automatic trust. ...
    (microsoft.public.windows.server.general)
  • RE: Active Directory env - Enterprise Administrators (EA)
    ... >as an addional Child Domain as apposed to being added as ... The big security flaw is that Enterprise ... >forest, by default allowing them access to all resources. ... Just as everyone in the domain must trust Domain Admins, ...
    (microsoft.public.win2000.security)
  • Re: Forest Trusts are backwards?
    ... Before we expound on the use of the word "trust" -- is opening up enough ... DMZ and corporate security authorities in the first place.. ... > Then I created Forest B, ...
    (microsoft.public.windows.server.active_directory)
  • Re: creating one way trust
    ... of different forest. ... It sounds for me that you do not need/have a trust, ... Once everything is replicated from the win2k svr. ... Let me try to understan a little more about youre network. ...
    (microsoft.public.windows.server.active_directory)