RE: Active Directory network security

You might try having a master domain with a series of OU's inside that domain. Those OU's could be set with their own varying levels of security but are ultimately governed and can be controlled by the top level administrative policies. This would allow the top level AD domain to be in control while your former NT domains would now be represented by OU's that the former local administrators would be able to set policy for but not impact the upper level domain. Just a thought.

-Tim

-----Original Message-----

From: RGN [mailto:norman.r@btclick.com] Sent: Tuesday, November 05, 2002 6:01 AM To: focus-ms@securityfocus.com
Subject: Active Directory network security

Hello, all

I am currently involved in a migration project where a number of NT4 domains are to be migrated into an enterprise-wide Active Directory forest comprising numerous domains. There is no 'IT Department' which has jurisdiction over all the domains so a huge variation of security standards is experienced.

To counter the risks posed by the less secure areas, the organisation I work for has placed firewalls at our interfaces with the other sections of the enterprise. These firewalls will have to be weakened or removed completely to facilitate the proposed migration and I am concerned that this may open the network up to security problems experienced in the areas with less emphasis on security.

Does anyone have any experience of such a situation? Is it as bad as I fear, or is Microsoft A/D secure? Are there are documented cases of this type of migration going wrong due to security being overlooked?

For example, could a compromised workstation in a remote site affect the workstations or servers in another domain? If so, what can be done to limit the exposure?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Are there any other things to avoid or to be aware of?

Any help will be gratefully received.

Thanks

Regards

    Richard Received on Thu Nov 14 09:03:53 2002