Solved

Two-way forest trust logons

Posted on 2007-03-23
7
380 Views
Last Modified: 2012-08-14
I have two Windows2003 servers running ActiveDirectory, that for historical reasons, each have their own Forest. TeacherDomain (the forest root on one server) currently owns all of the network printers and is configured as a MediaServer. StudentDomain is a forest root on the other server. We want to have certain groups of students be able to access certain network printers and also use the media streaming capability of the TeacherDomain. Also, we want teachers to be able to access the NAS device that students currently use on the StudentDomain for their student portfolios. From the Microsoft documentation, it appears that setting up a two-way ForestTrust gives me the capabilities that I need. However, on the student laptops that are connected to the StudentDomain, the administration does not want the DomainList on the logon screen to include domains that are on the TeacherDomain. That is, they want to keep the separation that students logon to student machines and teachers logon to teacher machines. I don't know how the Domain List on the logon page is generated. If I create a two-way ForestTrust, will student machines now be able to logon to the TeacherDomain? I think they are concerned about a student selecting the TeacherDomain, typing in a teacher's logon name and trying to break the password and getting access to gradebooks.
0
Comment
Question by:oaklandteacher
  • 3
  • 2
7 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18780178
If you create a trust relationship, both domains will show up in the drop-down box on login, yes.  (There -may- be a third-party tool that can alter this behaviour, but I'm not aware of one.)  The alternative would be to leave the forests untrusted and create a second account for students who need to access the teacher domain, but that doesn't buy you much for two reasons:

[1] Managing password synchronization between the domains without a trust relationship will be a royal pain.

[2] Not being able to see the forest name in a drop-down box isn't going to stop a malicious and determined student (read: "hacker") from attempting to do password-guessing against the teacher domain - to believe otherwise is (I think, at least) a tragic underestimation of the computer-savviness of the average American student.

If users in ForestB need access to resources in ForestA the most effective way to do that is going to be via a trust relationship; it is then up to the administrators of ForestA to establish sufficient security controls to prevent unintended disclosure of resources. There are any number of tools that you can use to assist in this - Group Policy, Server & Domain Isolation, two-factor authentication for teachers...it largely depends on how much time, money, training and effort you're willing to throw at the problem of security.
0
 

Author Comment

by:oaklandteacher
ID: 18780295
I know that a malicious student isn't going to be deterred, but there are a lot of kids who will play password guessing if the dropdown includes the TeacherDomain. Plus they know that if they deliberately type in the wrong password enough times, it will temporarily disable the teacher's account (unless I change the default Group Policy).
If I move all of the network printers from the teacher domain to the top of the student domain and then establish a one-way trust, will that enable groups of students and groups of teachers to access the printers and the NAS without the TeacherDomain showing up on student laptops? I will still have to figure out how to give student access to MediaStreaming.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18780447
I don't have any one-way trusts in front of me that I can verify this against right now, but I believe that even one-way trusts will still populate the drop-down box in that scenario.  (You can obviously configure the one-way trust as a test measure and log onto a teacher/student computer to confirm.)

This unfortunately sounds as though you are attempting to create a silicon-based solution for a carbon-based problem, which is almost always a quest doomed from the start.  Does your organization have an Acceptable Use Policy, and does that AUP include a section about attempts to steal/abuse other users' passwords?  If you don't have one, write one. If you do have one, it's time to start enforcing. If the laptop with an IP that's registered to student Mike Smith logs twenty failed logons in a row against a teacher account, Mike Smith gets a warning. If it happens again, Mike Smith's parents get a phone call or he gets detention or suspension or what-not.  (I'm crafting examples in my head without knowing whether your students are K-12,  University, whatever - obviously modify these suggestions in an age-level appropriate fashion.)

Basically there isn't a technical measure in the world that's going to prevent someone from being intentionally malicious - but you're in a unique position of power in that the malicious users are at least -somewhat- under your control, rather than being a random hacker from Romania or China who is acting completely outside of any bounds of responsibility.
0
 

Author Comment

by:oaklandteacher
ID: 18780714
We have hundreds of student laptops on mobile carts and we use DHCP, so tracking down the student who might have been using a particular laptop at a particular time is more effort than I have time for. I understand about AUP and all that. I just need a technical answer about forest trusts.

thanks.
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 250 total points
ID: 18780783
Hmmmm.  The good news?  I think I found a way for you to hide the domain drop-down entirely.

The bad news?  It involves a registry hack on the client-side, which probably wouldn't be feasible for you from an implementation standpoint.  (Unless your student laptops are AD-joined, in which case you can obviously deploy it via GP.)

This solution will also necessitate a behaviour/training change for your students as it will disable the domain drop-down box -entirely-; students will be forced to log in at all times using their "jsmith@oakland.edu" UPN name.

A. To remove the domain drop-down list from the logon screen and force users to use their full user principal name (UPN), perform these steps:


Start the registry editor (regedit.exe).
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey.
From the Edit menu, select New, DWORD value.
Enter a name of NoDomainUI and press Enter.
Double-click the new value and set it to 1. Click OK.
Reboot the machine.

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now