Forest Trust, Windows 2008 R2 Expand / Collapse
Author
Message
Posted 7/7/2011 4:03:10 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/6/2011 5:48:56 AM
Posts: 1, Visits: 0
I got a scenario whereby we have contracted a company to create a certain applications for us. The application will fully reside on our site with no connection to the outside world at all. The company wants to create the applications on their own (new) domain (which again lives on our site) but they have requested a mutual (forest) trust with our existing domain for the purpose of using single sign-on and to have only one active directory (the one on our existing domain) thereby avoiding to have multiple active directories. Servers on both domains are running Windows 2008 R2. The company has requested a standard LDAP user account with no admin rights.
 
My question is, given the scenario above and that we are dealing with a reputable company; what are the security risks on our existing domain or active directories from the new domain created by the contracted company?


Will the LDAP account they have requested be able to do any admin stuff or hack into our active directory or anything else on our domain?


What are the precautions we need to take in order to avoid any harm (intentional or not) on our domain?
If the dangers are still great and you would not recommend the mutual trust, what are the alternatives in order to avoid extra admin work?

Post #753
Posted 7/8/2011 11:35:32 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
These are great questions

what are the security risks on our existing domain or active directories from the new domain created by the contracted company?

This risk of trusting another domain outside your forest is this:  What objects in your domain have you granted access to users from the trusted domain?  What objects have your granted Everyone or Authenticated Users access to because they now include everyone from that trusted domain.  Whatever you answer to those questions is now exposed to rogue admins of the trusted domain or any bad guy that gets admin authority to the trusted domain or compromises one of the users in that domain to whom you've granted access either through a group, individually or as a result of Everyone and Authenticated Users.

Will the LDAP account they have requested be able to do any admin stuff or hack into our active directory or anything else on our domain?

There's no such thing as an LDAP account per se.  Every account in AD has LDAP access to AD subject to AD object permissions which are pretty open as far as read access.  Anyway, answer: Not unless you make that account a member of one of the administrator or operator groups or delegate some type of admin authority to it.  If you just create a user account and don't add it to any group it will just have read access to the public info in AD.


What are the precautions we need to take in order to avoid any harm (intentional or not) on our domain? If the dangers are still great and you would not recommend the mutual trust, what are the alternatives in order to avoid extra admin work?

See previous paragraph.  Otherwise, a one way trust where the new app's domain trusts your domain or the new app's forest trusts your forest but not vice versa.  That allows users in your domain/forest to be granted access, including admin authority, in the new apps' domain but not vice versa and eliminates the risks outlined above.

And make sure this new app is a different forest not a new domain in the same forest.  Domains in the same forest don't provide any security.  The forest is the security boundary.

 

Post #763
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 11:32pm