Announcement

Collapse
No announcement yet.

shadow accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • shadow accounts

    I have 3 forest, one on the inside of a firewall, one on the dmz and one on the outside of the firewall. Recently a worm virus got through the firewall on port 445 (trust port) and I would like to replace my trusts with shadow accounts.

    Is this feasable and what are the limitations?

  • #2
    Re: shadow accounts

    Three forests for users only? Seems huge overkill. And outside of the firewall as well? Hmmm.... Oh well. Reverse proxy is out of the question, I suppose.

    If you are a bit handy with programming, throw out the dmz/fw forests and use AD/AM instead. Proxy authentication should do it. That will improve your security by quite a bit.

    Otherwise, in order to create shadow account you will need some type of sync program. Also, passwords are going to be a problem. Solveable, but a problem.

    Comment


    • #3
      Re: shadow accounts

      Is AD/AM available for windows 2000?

      Why do I need a sync program for shadow accounts and do you know specifically what the password problems might be.

      Thx.

      Comment


      • #4
        Re: shadow accounts

        Originally posted by ozbie
        Is AD/AM available for windows 2000?

        Why do I need a sync program for shadow accounts and do you know specifically what the password problems might be.

        Thx.
        Does anyone know what the issues are relating to sync'ing shadow accounts between forests and why synchronization is required?

        Comment


        • #5
          Re: shadow accounts

          One step back, please. What do _you_ mean by shadow account? I get the feeling that we are not on the same line here.

          Comment


          • #6
            Re: shadow accounts

            As a replacement to trust relationships, ...where duplicate accounts and matching passwords are created on separate domains to allow authentication.

            Comment


            • #7
              Re: shadow accounts

              OK, I meant the same thing. Question. How will you make sure the accounts on all forests match? You must do something to keep them in sync, right? New accounts, new passwords, all that.

              The password problem is simple. How will you read it from forest A and apply it to forest B? Or will you require the user to change it 3 times?

              Comment


              • #8
                Re: shadow accounts

                I only need to manage a few shadow accounts between forests, subsequently this will be a manual process and accounts will not change (allow authentication of dcom apps).

                Would this use port 445?

                Comment


                • #9
                  Re: shadow accounts

                  Ah, is that the real issue. Port 445 is SMB: file & print and the like. I'm pretty sure you can have a trust without port 445. But what use would that be? Using shadow accounts and passthrough authentication is no improvement over trusts.

                  Comment


                  • #10
                    Re: shadow accounts

                    Thanks for your feedback wkasdo,
                    ...I'm shutting down ports 445, 137,138,139 and I'm going to have to find some sort of solution allowing me to authenticate an app on the outside of the firewall to the dmz. This is on an industrial network and last week a worm infiltrated the firewall through port 445, ...major mayhem!

                    Comment


                    • #11
                      Re: shadow accounts

                      Now I begin to understand it So you had 445 exposed on the firewall? You are doing SMB/RPC stuff over the internet? Shouldn't be too difficult to work around that.

                      - VPN?
                      - IPSEC?
                      - SSL App?
                      - Terminal Server App (may be the most viable solution)

                      Comment

                      Working...
                      X