Access to Trusted Domain Resources and Scanning

B

Bo

Physical environment:
I want to setup a trust with our client networks at their physical location
(Not a WAN connection.) Their domains will be either using 2000 mixed or
2003 domain controllers on the trusted side. Our domain is 2003 Server.

Objective:
I want to basically deny any user including domain admin any opportunity to
change any configuration on any device in my domain, while allowing access to
use our resources and scan our network machines for current Microsoft and
antivirus patches.

Is this possible with a domain trust and what kind for trust should I use
other than a one way trust?

Thank you in advance for your assistance.

Bo
 
A

Ace Fekay [Microsoft Certified Trainer]

Bo said:
Physical environment:
I want to setup a trust with our client networks at their physical
location
(Not a WAN connection.) Their domains will be either using 2000 mixed or
2003 domain controllers on the trusted side. Our domain is 2003 Server.

Objective:
I want to basically deny any user including domain admin any opportunity
to
change any configuration on any device in my domain, while allowing access
to
use our resources and scan our network machines for current Microsoft and
antivirus patches.

Is this possible with a domain trust and what kind for trust should I use
other than a one way trust?

Thank you in advance for your assistance.

Bo


Well, a one way trust, where you must trust their domain toallow them into
your domain is required, you can specifically delegate tasks to an account
on their domain. With such a one-way trust, where you are trusting their
domain, they can only get into your domain, and not vice-versa.

As for connectivity, how are the two domains connected? Is there a VPN? If
across the internet, it will be difficult without opening up 29+ ports. I
suggest a VPN or domain communications will fail.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(e-mail address removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
 
B

Bo

Ace,
Thanks for the reply, sorry I was not clear. My domain will be installed on
their network at their facility. i.e. I will install my machines in there
building / departments and my domain controller in their server room. I will
trust them and give them access to my services. I would also like to give
the Domain Admins at the minimum permissions to scan only for current
microsoft and antivirus patches. If possible I would also like to allow them
to look at machine configs like system info registry settings and ou
settings, but not able to manage or change these settings in any way.

Bo
 
A

Ace Fekay [Microsoft Certified Trainer]

Bo said:
Ace,
Thanks for the reply, sorry I was not clear. My domain will be installed
on
their network at their facility. i.e. I will install my machines in
there
building / departments and my domain controller in their server room. I
will
trust them and give them access to my services. I would also like to give
the Domain Admins at the minimum permissions to scan only for current
microsoft and antivirus patches. If possible I would also like to allow
them
to look at machine configs like system info registry settings and ou
settings, but not able to manage or change these settings in any way.

Bo


Bo,

I see. I assume your DC will not be a DC that is part of your office network
that is installed in some other location, such as your office, and this DC
is a standalone in it;s own forest.

To minmize such permissions would entail using the local groups on the DC
and other servers that you are allowing to give them read access. As for
changing settings, such as the registry, requires elevation to
administrative permissions. I would at least add their Domain Admin group to
your domain's local Users group. This will give them read access for
starters. After that you have to decide which servers to allow them acces to
and levels of Rights, and you would do that in a DC's Local DOmain
Controller Policy (in Admin tools, start menu) and on each machine's Local
Policy.

Ace
 
B

Bo

Ace,
Sorry to belabor this point, but I haven't had to lock down a system like
this before, and I do not have the time to build a test case yet. Anyway,
sounds like even with a trust, I would need to give the Domain Admins
administrator level access to scan using MBSA or other tools, correct? Once
the have adminstrator access to any machine they can in effect change
configurations on that machine, correct again?

Thank you for your time and patience.

Bo
 
A

Ace Fekay [Microsoft Certified Trainer]

Bo said:
Ace,
Sorry to belabor this point, but I haven't had to lock down a system like
this before, and I do not have the time to build a test case yet.
Anyway,
sounds like even with a trust, I would need to give the Domain Admins
administrator level access to scan using MBSA or other tools, correct?
Once
the have adminstrator access to any machine they can in effect change
configurations on that machine, correct again?

Thank you for your time and patience.

Bo

Hi Bo,

Yes, giving them Domain Admin access they can do anything. But is difficult
and tedious, although not impossible if you keep them out of Domain Admins
and finite their permissions and Rights.

Ace
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top