OU Security - best setup?

[LukeF]

Hi all and thanks in advance. I will explain my situation
and what I'm trying to do.

Current setup

1. Windows 2000 domain (domain.local)
2. 3 OU's that represent 3 different companies. (lets call
them A, B and C)

Now, these 3 companies are all part of the same group and
therefore share resources (IT costs etc) but the companies
are totally different organisations and therefore we need
to nail down the security for each company.

We would like to do the following;

- Each OU can only access it's own servers
- When browsing in Network neighbourhood they can only see
computers in their respective OU

What would be the best way to secure the OU's so people
can only access resources in the company they work for?

Regards,

Luke F

 

[Steven L Umbach]

Ideally for best security for each company and to restrict what users can
"see" each company should be on it's own subnet and each in it's own forest
to accomplish what you want to do. In a single forest the administrators in
the root domain can access anything in the forest by putting themselves in
the enterprise administrator group. Of course that would require more domain
controllers - at least two for each domain is recommended.

If you insist on using an OU for each company you can not restrict what a
user will see in My Network Places as netbios name resolution and the
browser service are totally different and foreign from the AD OU concept.
The master browser which will by default be the pdc fsmo role holder will
build a list for the whole domain. It is possible to restrict users to see
only what is in their OU if you have disabled netbios over tcp/ip in the
domain and are using only AD to locate domain resources. A user will not be
able to see another OU if he does not have read permissions to that OU.
However disabling netbios over tcp/ip is still not practical nor desireable
for most networks and ALL apllications must not rely on netbios over tcp/ip
before disabling.

You can however restrict actual access to servers in an OU to certain groups
of regular users. You do that by configuring a GPO for that OU and then
configuring the user rights assignments for logon locally and access this
computer from the network to only include authorized groups such as users
for each company put into a security group. In addition configure share/ntfs
permissions to only have users from the appropriate company security group.
Ipsec policies can also be configured to restrict which computers can
communicate with each other, though domain controllers need to be exempt
from any ipsec negotiation policy via their IP addresses. --- Steve

 

[Guest]

Steve,

thanks heaps for the information - Greatly appreciated. Is
there anything else I should configure to ensure each
company retains it's privacy?

 

[Steven L Umbach]

Well "insure privacy" will be hard to do on a single domain. I would however
configure the Domain Security Policy to use password complexity as poor passwords are
still the biggest problem to securing resources. Also consider an account lockout
policy with a lockout threshold of no less than ten bad attempts and perhaps a twenty
minute lockout period to help deter hack attempts from within the domain. Enabling
auditing of account logon events, account management, and policy change on domain
controllers and logon events on servers is a great idea so that the security log in
Event Viewer can be reviewed for attempts of unauthorized access. If there is any
data on any server [other than a domain controller] that you do not want "sniffed"
off of the network, consider implementing ipsec policies. Only Windows 2000/2003/XP
Pro computers however can use ipsec and domain controllers must be exempt from ipsec
communications with domain members. The links below on ipsec may be helpful if
interested. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
http://support.microsoft.com/?kbid=254949
http://www.microsoft.com/technet/security/guidance/secmod144.mspx --- tips on
auditing
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch02.mspx --- tips on
domain acount/password policy