Auditing DNS Record Entries (or deletions)

I got an unusual request from a customer today.  She is in an environment where everyone is currently a domain admin (not a good thing).  Although they are taking my advice and moving to a least priviliged scenario, things are sometimes slow in federations.  In any event, she suspects that other administrators are deleting DNS…


How does Authentication Work Cross Domain?

A question that comes up frequently involving federated customers is how does an organization need to configure its firewalls to allow users in a trusted, but not fully trusted, domain to access their resources.  Consider the following scenario: [WEB RESOURCE]—|—FIREWALL—WAN—FIREWALL—|—[USER 2][DOMAIN CTRL A]–|                               |—[DOMAIN CTRL B] User 2 wants to access a web resource in…

3

Active Directory LDAP Queries

Active Directory Users and Computers (2003 version) provides a feature called Saved Queries that takes advantage of LDAP queries to find objects in Active Directory that might meet a specific condition.  When I am working with customers, I am often surprised how little use this feature gets, particularly when customers come to me with concerns…

1

Political Forest and Domain Design

In my work with a large number of federated customers, the unavoidable component of Active Directory design is the age-old question of “How many forests do I need?”  This is simple to define, but challenging to discuss in the board room.  There are three types of forests: enterprise forests, resource forests, and isolated forests.  Every…


ADC Lessons Learned the Hard Way

What happens when a federation, each with its own domain, separated by firewalls within a single forest, attempts to implement the Active Directory Connector in a federated fashion?  The perception was that this deployment model would be more secure, because each department could control their instance of the ADC and firewalls could be left in…


Security Misunderstandings in Federations

What does it mean to have a secure environment?  Is it proper authentication and access controls?  Freedom from viruses and worms?  Availability?  Acceptable disaster recovery?  Freedom from human error?  Data integrity?  I would argue, and I would assume most would agree, that security is all of these things. Why is it then, that federations focus…


The Federation Firewall Boundary

As a specialist by trade in both technology and financial audit, internal control structures and security play an important role in the work that I do.  I came across Steve Riley’s Death of the DMZ over broadband the other day and his thesis really hit home with one who deals in political federations.  For years,…