Discussion:
Windows Active Directory Domains
j***@gmail.com
2014-07-08 20:48:05 UTC
Permalink
I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.

We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.

The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.

My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.

Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.

Thanks

Joe Brown

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Chris Wessells
2014-07-09 14:02:31 UTC
Permalink
There separate technologies mentioned.

1. Authentication
2. Network segmentation

Active directory is a hierarchy of objects you can "do" stuff with. You can apply policies to affect client machines. You can create groupings of objects to centralize configuration. The relationships are hierarchical. If the account details contained in an OU (Folder) are wished to be kept private, then make a different OU parallel to the existing OU.

Then you can restrict the user's ability to search specific OUs: "Anyone in OU=Company, has a search base of OU=Company." They will never see the OU=HR.

HR
-User
-Computer
Company
-User
-Computer

With forethought and design, there isn't a reason to have the two servers in the forest for this scenario. Additionally the firewall segmentation isn't necessary either. Using NTFS file share permissions will keep users out of sensitive data. Now there are many variables and 100 different ways to solve any IT problem so by all means this is not the only solution. Good luck, AD is a powerful tool that can help control an environment.

Best Regards,
Chris Wessells

Chris Wessells | Sr. Network & Systems Engineer
MetaSource, LLC | 12894 Pony Express Road, Suite 700 | Draper, UT 84020-8334
office 801 984-6606 | mobile 385 202 3735 | ***@metasource.com

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On Behalf Of ***@gmail.com
Sent: Tuesday, July 8, 2014 2:48 PM
To: security-***@securityfocus.com
Subject: Windows Active Directory Domains

I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.

We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.

The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.

My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.

Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.

Thanks

Joe Brown

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


________________________________

NOTICE:
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended only for the use of the Individual (s) named above. If you are not the intended recipient of this e-mail, or the employee or agent responsible for delivering this to the intended recipient, you are hereby notified that any dissemination or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify us by telephone at 215-788-8885 or notify us by e-mail at ***@metasource.com. Also, please mail a hardcopy of the e-mail to MetaSource at 1900 Frost Road, Suite 100, Bristol, PA 19007 via the U.S. Postal Service. We will reimburse you for all expenses incurred.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Will Boling
2014-07-09 13:55:52 UTC
Permalink
Joe,

I see very, very little benefit in separating the domains. Honestly, it sounds like an excuse to not setup share permissions and other things correctly within a shared domain. From a management perspective, I could see this being a huge pain. I would recommend having them consolidate the domain into one and having someone help them with permissions and object security within the domain. Could they not utilize ACLs and VLANs on switches to provide the level of security they’re trying to use the firewall for?

Thank you,
Will
Post by j***@gmail.com
I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.
We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.
The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.
My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.
Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.
Thanks
Joe Brown
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Ocala Website Designs LLC
2014-07-09 16:56:21 UTC
Permalink
Tell you the truth, if the HR department has HIPPA information, or
information that is very sensitive, they should hire someone that does know
what they are doing. No offense, but a security breach is a bad way to find
out you failed at securing your HR data. I agree, keep it simple, use a
single domain, leverage NTFS permissions and vlans properly.

Thank you,

Tommy Thomas, MCP, Network+, Security+, C|EH, MCSE
Network Systems Administrator -::- Webmaster
Public Affairs Specialist - :: - Photojournalist
Ocala Website Designs LLC
www.OcalaWebsiteDesigns.com
President - Ocala Outreach Foundation Inc.
www.OcalaOutreach.com



-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On
Behalf Of Will Boling
Sent: Wednesday, July 9, 2014 9:56 AM
To: ***@gmail.com
Cc: security-***@securityfocus.com
Subject: Re: Windows Active Directory Domains

Joe,

I see very, very little benefit in separating the domains. Honestly, it
sounds like an excuse to not setup share permissions and other things
correctly within a shared domain. From a management perspective, I could
see this being a huge pain. I would recommend having them consolidate the
domain into one and having someone help them with permissions and object
security within the domain. Could they not utilize ACLs and VLANs on
switches to provide the level of security they're trying to use the firewall
for?

Thank you,
Will
Post by j***@gmail.com
I have a scenario where I am trying to evaluate the security benefits of
an Active Directory domain structure.
Post by j***@gmail.com
We will call the company XYX Inc. They have an AD Forest/Domain for
general users. They also have a separate AD Forest/Domain for their HR Users
that is behind a firewall.
Post by j***@gmail.com
The claim is that the separate forests with a one way trust provides the
necessary security to protect the HR Information.
Post by j***@gmail.com
My thinking is that having the users/servers in the same forest would
provide additional benefit of ease of use for the technical team. Using the
already existing firewall, separate the servers behind the firewall for the
needed protection of HR files.
Post by j***@gmail.com
Before I make a recommendation of one way or the other, I wanted to elicit
the ideas of others who may have seen similar situations.
Post by j***@gmail.com
Thanks
Joe Brown
----------------------------------------------------------------------
-- Securing Apache Web Server with thawte Digital Certificate In this
guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
Post by j***@gmail.com
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
42f727d1
----------------------------------------------------------------------
--
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate. We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Michael Sturtz
2014-07-09 14:18:06 UTC
Permalink
Having a separate AD forest gives the illusion of additional security. It is not more secure. All people in the same organization should be in the same AD forest. Protecting HR data can and should be done at the server level and with modern Windows servers configured properly can not only prevent unwanted access you can also audit that access in a central location such as a command center. Having a separate forest greatly complicates your design and could actually weaken the security of the HR data. If you want more information feel free to PM me.
Thanks,
Michael

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On Behalf Of ***@gmail.com
Sent: Tuesday, July 08, 2014 1:48 PM
To: security-***@securityfocus.com
Subject: Windows Active Directory Domains

I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.

We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.

The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.

My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.

Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.

Thanks

Joe Brown

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Jim B
2014-07-09 14:29:28 UTC
Permalink
Try using not different domains, but, OU's. This way, each OU can have its
own GPO and security settings and ensure that you use groups to enhance the
security settings, not adding individuals to the OUs.

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On
Behalf Of ***@gmail.com
Sent: Tuesday, July 8, 2014 15:48
To: security-***@securityfocus.com
Subject: Windows Active Directory Domains

I have a scenario where I am trying to evaluate the security benefits of an
Active Directory domain structure.

We will call the company XYX Inc. They have an AD Forest/Domain for general
users. They also have a separate AD Forest/Domain for their HR Users that is
behind a firewall.

The claim is that the separate forests with a one way trust provides the
necessary security to protect the HR Information.

My thinking is that having the users/servers in the same forest would
provide additional benefit of ease of use for the technical team. Using the
already existing firewall, separate the servers behind the firewall for the
needed protection of HR files.

Before I make a recommendation of one way or the other, I wanted to elicit
the ideas of others who may have seen similar situations.

Thanks

Joe Brown

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate. We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Kurt Buff
2014-07-09 14:21:33 UTC
Permalink
Some questions:

Who administers the firewalls separating the HR domain from the other domain?
Do the firewall admins also administer either domain?
Are the firewalls between domains even more restrictive of web
browsing and other online activity for HR than for the other staff?
Who administers the HR domain, and why are they more trusted than
those who administer the larger domain?

As you probably gather, the situation seems (to me) fraught with
redundancy and possibility for error. HR data isn't so much more
private than other data (IMHO) that it needs that kind of special
attention - the intellectual property and/or financial data and/or
business processes require pretty much an equal level of care.

Kurt
Post by j***@gmail.com
I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.
We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.
The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.
My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.
Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.
Thanks
Joe Brown
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Kurt Buff
2014-07-14 14:23:54 UTC
Permalink
Going bankrupt because of regulatory fines (or just paying a big fine)
vs. going bankrupt (or losing lots of money) because of theft of IP or
hacked bank accounts isn't much of a choice. They both are outcomes to
be avoided by exercising due care. One might argue that the
possibility of jail time because of HIPAA provisions or other laws
might provide extra incentive, but I haven't seen much of those kinds
of penalties - yet. And, if you can achieve the same level of security
without the complexity of extra configuration, or the expense of extra
staff, then your course is pretty clear.

Kurt

On Mon, Jul 14, 2014 at 7:12 AM, Mikhail A. Utin
Hello,
Quote: HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property and/or financial data and/or business processes require pretty much an equal level of care.
Not really right as HR deals with personal identifiable information. See, for instance US MA 201 CMR 17.00, or similar. PI, i.e. legally protected personal information, is at least one record having any number (like SSN or a license) and full name. HR has a plenty of such information.
In any case when you think of protecting data, you need to clarify if any compliance is required. If do, then you need to check the regulation(s) what it exactly requires. You may build up numerous expensive and technically correct solutions, but in a case of something goes wrong and protected (in legal context) data is acquired, your incompliance will be considered first and your efforts as secondary.
I would remind that there are two parts in information security - legal (including compliance) and technical. First is more important as relates to the business directly. If there is no such matter of a compliance in your organization (there is no federal, state, local, industry regulation), then you are lucky person and have free hands.
Regards
Mikhail Utin, CISSP
-----Original Message-----
Sent: Wednesday, July 09, 2014 10:22 AM
Subject: Re: Windows Active Directory Domains
Who administers the firewalls separating the HR domain from the other domain?
Do the firewall admins also administer either domain?
Are the firewalls between domains even more restrictive of web browsing and other online activity for HR than for the other staff?
Who administers the HR domain, and why are they more trusted than those who administer the larger domain?
As you probably gather, the situation seems (to me) fraught with redundancy and possibility for error. HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property and/or financial data and/or business processes require pretty much an equal level of care.
Kurt
Post by j***@gmail.com
I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.
We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.
The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.
My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.
Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.
Thanks
Joe Brown
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Mikhail A. Utin
2014-07-14 15:02:35 UTC
Permalink
Quote: One might argue that the possibility of jail time because of HIPAA provisions or other laws might provide extra incentive, but I haven't seen much of those kinds of penalties - yet

Here is well-known example of MGH (Mass General Hospital) case, which paid to feds around $1M after a loss of a memory stick with a few hundred EPHI records. Monetary, even a small organization can sustain such DATA loss, but the cost of conflicting with DHHS/CMS on that matter costs much more than a fine of $1M. There is an estimate that one case of data loss in around $5M. And the most comes from legal part and various matters dealing with federal authorities. Amount of data matters but as you see in MGH case, not too much. What matters is non-compliance. I would not discuss millions of credit cards records losses (AFAIC last were Target, and eBay accounts' info as well) as DSS is commercial and not about legal part, fines, etc. Compliance is also an issue but can be easy fixed by an external audit. Big guys can easy deal with such cases. If US had a law and penalties for commercial data loss, we would see bullion-level fines.
Shortly: if feds are involved, all depends on Uncle Sam's will, and pretty innocent loss could cause a business loss.
Regards

Mikhail

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On Behalf Of Kurt Buff
Sent: Monday, July 14, 2014 10:24 AM
To: security-***@securityfocus.com
Subject: Re: Windows Active Directory Domains

Going bankrupt because of regulatory fines (or just paying a big fine) vs. going bankrupt (or losing lots of money) because of theft of IP or hacked bank accounts isn't much of a choice. They both are outcomes to be avoided by exercising due care. One might argue that the possibility of jail time because of HIPAA provisions or other laws might provide extra incentive, but I haven't seen much of those kinds of penalties - yet. And, if you can achieve the same level of security without the complexity of extra configuration, or the expense of extra staff, then your course is pretty clear.

Kurt
Hello,
Quote: HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property and/or financial data and/or business processes require pretty much an equal level of care.
Not really right as HR deals with personal identifiable information. See, for instance US MA 201 CMR 17.00, or similar. PI, i.e. legally protected personal information, is at least one record having any number (like SSN or a license) and full name. HR has a plenty of such information.
In any case when you think of protecting data, you need to clarify if any compliance is required. If do, then you need to check the regulation(s) what it exactly requires. You may build up numerous expensive and technically correct solutions, but in a case of something goes wrong and protected (in legal context) data is acquired, your incompliance will be considered first and your efforts as secondary.
I would remind that there are two parts in information security - legal (including compliance) and technical. First is more important as relates to the business directly. If there is no such matter of a compliance in your organization (there is no federal, state, local, industry regulation), then you are lucky person and have free hands.
Regards
Mikhail Utin, CISSP
-----Original Message-----
Sent: Wednesday, July 09, 2014 10:22 AM
Subject: Re: Windows Active Directory Domains
Who administers the firewalls separating the HR domain from the other domain?
Do the firewall admins also administer either domain?
Are the firewalls between domains even more restrictive of web browsing and other online activity for HR than for the other staff?
Who administers the HR domain, and why are they more trusted than those who administer the larger domain?
As you probably gather, the situation seems (to me) fraught with redundancy and possibility for error. HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property and/or financial data and/or business processes require pretty much an equal level of care.
Kurt
Post by j***@gmail.com
I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.
We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.
The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.
My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.
Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.
Thanks
Joe Brown
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
please visit our Internet we
Tracy Reed
2014-07-15 16:07:21 UTC
Permalink
Post by Mikhail A. Utin
Quote: One might argue that the possibility of jail time because of HIPAA
provisions or other laws might provide extra incentive, but I haven't seen
much of those kinds of penalties - yet
Here is well-known example of MGH (Mass General Hospital) case, which paid to
UCLA employee:
http://www.amednews.com/article/20100607/business/306079969/6/

A nurse shared data with a spouse and went to jail too but I can't find a
non-registration required link. There are more. So it does happen...
--
Tracy Reed
Tracy Reed
2014-07-21 20:22:31 UTC
Permalink
Post by Tracy Reed
http://www.amednews.com/article/20100607/business/306079969/6/
A nurse shared data with a spouse and went to jail too but I can't find a
non-registration required link. There are more. So it does happen...
Another one just made headlines:

http://www.justice.gov/usao/txe/News/2014/edtx-hippler-hipaa-kummerfield%20070314.html
--
Tracy Reed
Kurt Buff
2014-07-21 20:54:08 UTC
Permalink
I'm actually glad to see this happening - finally...

Kurt
Post by Tracy Reed
Post by Tracy Reed
http://www.amednews.com/article/20100607/business/306079969/6/
A nurse shared data with a spouse and went to jail too but I can't find a
non-registration required link. There are more. So it does happen...
http://www.justice.gov/usao/txe/News/2014/edtx-hippler-hipaa-kummerfield%20070314.html
--
Tracy Reed
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Mikhail A. Utin
2014-07-14 14:12:45 UTC
Permalink
Hello,
Quote: HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property and/or financial data and/or business processes require pretty much an equal level of care.

Not really right as HR deals with personal identifiable information. See, for instance US MA 201 CMR 17.00, or similar. PI, i.e. legally protected personal information, is at least one record having any number (like SSN or a license) and full name. HR has a plenty of such information.

In any case when you think of protecting data, you need to clarify if any compliance is required. If do, then you need to check the regulation(s) what it exactly requires. You may build up numerous expensive and technically correct solutions, but in a case of something goes wrong and protected (in legal context) data is acquired, your incompliance will be considered first and your efforts as secondary.

I would remind that there are two parts in information security - legal (including compliance) and technical. First is more important as relates to the business directly. If there is no such matter of a compliance in your organization (there is no federal, state, local, industry regulation), then you are lucky person and have free hands.

Regards

Mikhail Utin, CISSP

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On Behalf Of Kurt Buff
Sent: Wednesday, July 09, 2014 10:22 AM
To: security-***@securityfocus.com
Subject: Re: Windows Active Directory Domains

Some questions:

Who administers the firewalls separating the HR domain from the other domain?
Do the firewall admins also administer either domain?
Are the firewalls between domains even more restrictive of web browsing and other online activity for HR than for the other staff?
Who administers the HR domain, and why are they more trusted than those who administer the larger domain?

As you probably gather, the situation seems (to me) fraught with redundancy and possibility for error. HR data isn't so much more private than other data (IMHO) that it needs that kind of special attention - the intellectual property and/or financial data and/or business processes require pretty much an equal level of care.

Kurt
Post by j***@gmail.com
I have a scenario where I am trying to evaluate the security benefits of an Active Directory domain structure.
We will call the company XYX Inc. They have an AD Forest/Domain for general users. They also have a separate AD Forest/Domain for their HR Users that is behind a firewall.
The claim is that the separate forests with a one way trust provides the necessary security to protect the HR Information.
My thinking is that having the users/servers in the same forest would provide additional benefit of ease of use for the technical team. Using the already existing firewall, separate the servers behind the firewall for the needed protection of HR files.
Before I make a recommendation of one way or the other, I wanted to elicit the ideas of others who may have seen similar situations.
Thanks
Joe Brown
----------------------------------------------------------------------
-- Securing Apache Web Server with thawte Digital Certificate In this
guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4
42f727d1
----------------------------------------------------------------------
--
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
please visit our Inte
Keith Kooyman
2014-07-09 21:27:17 UTC
Permalink
I've seen this done before by well-intentioned admins. The truth is, in my
opinion, that what looks good in theory is in reality not a good practice.
No real security gain is accomplished and there are numerous reasons to not
do it this way.

They would be much better off investing in layer 3 switches and a core
router and implementing a strong and secure VLAN architecture with ACL's.
As you say, you could also use the firewall to create an added layer of
protection between the HR VLAN and the rest of the network. You could use
DLP to protect HR files. The net result would be better security and
improved functionality.


Keith Kooyman
Network Security Instructor
254-867-3090


This E-mail may contain thoughts and opinions of Keith Kooyman and does not
represent official Texas State Technical College Waco policy.

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On
Behalf Of ***@gmail.com
Sent: Tuesday, July 08, 2014 3:48 PM
To: security-***@securityfocus.com
Subject: Windows Active Directory Domains

I have a scenario where I am trying to evaluate the security benefits of an
Active Directory domain structure.

We will call the company XYX Inc. They have an AD Forest/Domain for general
users. They also have a separate AD Forest/Domain for their HR Users that is
behind a firewall.

The claim is that the separate forests with a one way trust provides the
necessary security to protect the HR Information.

My thinking is that having the users/servers in the same forest would
provide additional benefit of ease of use for the technical team. Using the
already existing firewall, separate the servers behind the firewall for the
needed protection of HR files.

Before I make a recommendation of one way or the other, I wanted to elicit
the ideas of others who may have seen similar situations.

Thanks

Joe Brown

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate. We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Phil Fagan
2014-07-11 02:46:13 UTC
Permalink
I'll take the pro side for academic reasons....

I can see a benefit for having uniq forests for this function assuming
you also have uniq roles and responsibilities. Generally through
object permissions, network segmentation, and proxy-auth access to
protected resources you can achieve an extra level of security. So if
you have a team maintain the HR firewall, HR AD assets, and HR
services wholly separate from the team that you have maintaining the
remainder of the Enterprise then yes, you improve your security
posture.

If its all the same team maintaining all the gear....its an overly
complex design and provides no true gains.
I'll take the pro side for academic reasons....
I can see a benefit for having uniq forests for this function assuming you
also have uniq roles and responsibilities. Generally through object
permissions, network segmentation, and proxy-auth access to protected
resources you can achieve an extra level of security. So if you have a team
maintain the HR firewall, HR AD assets, and HR services wholly separate from
the team that you have maintaining the remainder of the Enterprise then yes,
you improve your security posture.
If its all the same team maintaining all the gear....its an overly complex
design and provides no true gains.
Post by j***@gmail.com
I have a scenario where I am trying to evaluate the security benefits of
an Active Directory domain structure.
We will call the company XYX Inc. They have an AD Forest/Domain for
general users. They also have a separate AD Forest/Domain for their HR Users
that is behind a firewall.
The claim is that the separate forests with a one way trust provides the
necessary security to protect the HR Information.
My thinking is that having the users/servers in the same forest would
provide additional benefit of ease of use for the technical team. Using the
already existing firewall, separate the servers behind the firewall for the
needed protection of HR files.
Before I make a recommendation of one way or the other, I wanted to elicit
the ideas of others who may have seen similar situations.
Thanks
Joe Brown
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
--
Phil Fagan
Denver, CO
970-480-7618
--
Phil Fagan
Denver, CO
970-480-7618

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Loading...