Large AD installation with high security!

[G]

Hi everyone,

I am in the process of designing the following: a company has around 20 mini
companies within it. All of them will be given their own domains with their
own email, etc. The also require secure fileserving. I do not want users
from one company to be able to access or even see the contents of the other
shares.

Is this something that can be achieve with AD or do I need to start thinking
about VLans/network fragmentation in order to get this level of security?

Many thanks,

G.

 

[Simon Geary]

In the AD security framework, separate security = separate forests. You
could certainly use permissions and trusts to deny user access but
ultimately if you need different domains to be totally cut off from each
other you need to use a forest for each company. Having said that, AD can
certainly provide enough flexibility to provide security between domains but
you have to decide if the extra administration and design considerations are
worth it. One final remark, never use VLAN's as the sole or main security
feature. VLAN security should be built on top of an existing, secure
infrastructure, it is not intended to be the primary line of defence.

 

[G]

Thanks Simon,

you mention:

Having said that, AD can
certainly provide enough flexibility to provide security between domains but
you have to decide if the extra administration and design considerations are
worth it.


Do you propose an alternative?

G.