Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Group membership for an AD integrated firewall

Posted on 2009-05-15
13
Medium Priority
?
292 Views
Last Modified: 2012-05-07
We are admins for a Windows Server 2003 machine but the firewall on the network is administered by a third party. In order to integrate the firewall with active directory we need to grant the third party a user account with privileges that would enable the firewall to poll the AD and check for user authentication. We want to ensure this account has the minimum rights to ernable them to do this job but nothing more, i.e. No admin rights, no logon rights.

As far as I am aware this is a typical AD integrated firewall senario. The firewall in question is a Firebox.

Thanks, GG
0
Comment
Question by:GGUser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 3

Expert Comment

by:Johneil1
ID: 24396065
Can you be a little more clear on your question? Which part of it are you having issue with? all the firewall should need is and AUTH server named.
0
 
LVL 1

Author Comment

by:GGUser
ID: 24396156
The firewall needs to authenticate users who connect to it via VPN. We could set it up so the firewall has it's own list of users and passwords but this would mean administering two sets of users, one on the server and one on the firewall. The firewall has the ability to integrate with the AD, so that the firewall can authenticate users straight from the AD using their windows account, but in order to do so it needs a dedicated AD account that it can use to poll the AD.

I'm assuming a standard 'domain user' account won't give the firewall suitable privileges but a 'domain admin' account will give them far too much access. Is there a group membership that would allow the firewall to access AD and authenticate users but not give them full admin rights?
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 24396422
What is the model firewall that you have?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 1

Author Comment

by:GGUser
ID: 24396477
Without going to site I couldn't tell you the exact model but it's a Firebox X Core e-Series.
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 24396494
0
 
LVL 1

Author Comment

by:GGUser
ID: 24396620
Thanks for the link but the instructions on that site are for RADIUS authentication and we need to configure NT Authentication.
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 24396759
I don't think that you can get around the domain admin issue. I don't have much experience with the fireboxes, but most other firewalls and vpn devices require that the account have domain admin level access (for AD integration). my co-worker has a lot of firebox experience so i will as him for you when he gets in.  
0
 
LVL 3

Accepted Solution

by:
Johneil1 earned 1000 total points
ID: 24396857
0
 
LVL 1

Author Comment

by:GGUser
ID: 24397044
Hmm. This suggests that the firebox doesn't actually need its own account. I shall need to go back to the firewall guys and clarify why they need the account. Thanks very much!
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 24397124
that is wht i was thinking before......all you should need is the AUTH server, DNS and that should be it!!!!!!
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 24397140
so not truly knowing that box, it seems that you can get around the account issue!!!!
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 24397143
Good luck
0
 
LVL 1

Author Comment

by:GGUser
ID: 24397153
Thanks again.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question