Styleforum › Forums › General › General Chat › Any Windows Sysadmins out there?
New Posts  All Forums:Forum Nav:

Any Windows Sysadmins out there?

post #1 of 10
10/8/09 at 3:29am
Thread Starter 
We are planning to create a remote domain controller in a data center. Our plan is to force VPN before logon. This may not be an option, however, with our VPN client. As such, I'm fairly sure that I've changed a password of a domain profile locally which would then (of course) not work for SSO once VPN'd. The idea is that the PCs will be imaged/initially logged in at the site of the DC but will need the passwords changed once they arrive at the user's location for security purposes. How would this be implemented or am I imagining that I've done this before? It's been 4 years since I've touched an AD environment and I must say, I've forgotten a lot.

Show me some love.
Reply
Reply
post #2 of 10
10/8/09 at 10:23am
SPEAK ENGLISh.
Reply
Reply
post #3 of 10
10/8/09 at 11:23am
Quote:
Originally Posted by kronik View Post
We are planning to create a remote domain controller in a data center. Our plan is to force VPN before logon. This may not be an option, however, with our VPN client. As such, I'm fairly sure that I've changed a password of a domain profile locally which would then (of course) not work for SSO once VPN'd.

I'm pretty sure you haven't changed any domain passwords without a connection to a domain controller.

Quote:
The idea is that the PCs will be imaged/initially logged in at the site of the DC but will need the passwords changed once they arrive at the user's location for security purposes. How would this be implemented or am I imagining that I've done this before? It's been 4 years since I've touched an AD environment and I must say, I've forgotten a lot.

Show me some love.

Your other problem is what happens if the passwords expire while the user is disconnected from the VPN? They won't be able to change them and won't be able to log back on to the vpn unless an admin manually reset them. And if this happens while they're having any network problems it will be even worse. You could also have problems if someone doesn't log on to the domain for a long time and their clocks get out of sync. Will admins be on-hand ready to assist users when this happens? Or will they have to wait on hold for 30 minutes while they get someone on the phone to reset their passwords for them?

There are lots of issues with this design imo. It's really only a question of whether they are acceptable to you for what you are trying to achieve though.
Reply
Reply
post #4 of 10
10/8/09 at 11:43am
Thread Starter 
Hrm, you sure about that? If the profile is roaming, and you change locally.. of course the password on the domain wouldn't change but wouldn't there be a way to change the user's local password?

Quote:
Your other problem is what happens if the passwords expire while the user is disconnected from the VPN? They won't be able to change them and won't be able to log back on to the vpn unless an admin manually reset them. And if this happens while they're having any network problems it will be even worse. You could also have problems if someone doesn't log on to the domain for a long time and their clocks get out of sync. Will admins be on-hand ready to assist users when this happens? Or will they have to wait on hold for 30 minutes while they get someone on the phone to reset their passwords for them?

This is where VPN before login becomes ideal (negating this issue entirely). The reality, sadly, is that there's really no other way of going about this. They will have someone on-hand with the local administrator password that will be able to handle password resets and such.
Reply
Reply
post #5 of 10
10/8/09 at 2:35pm
Kronik: getting whiter every day.
Reply
Reply
post #6 of 10
10/8/09 at 5:57pm
Quote:
Originally Posted by kronik View Post
Hrm, you sure about that? If the profile is roaming, and you change locally.. of course the password on the domain wouldn't change but wouldn't there be a way to change the user's local password?
Roaming profiles don't solve your problem. They just make people's settings follow them from one computer to another, and without a connection to the domain they're useless.
Quote:
This is where VPN before login becomes ideal (negating this issue entirely). The reality, sadly, is that there's really no other way of going about this. They will have someone on-hand with the local administrator password that will be able to handle password resets and such.
Of course they can change their local passwords but that wouldn't help them with domain logins and that is the issue in my mind. I get the part about vpn before login. That's not really the issue either, as I see it. You mentioned SSO so I'm assuming, perhaps incorrectly, that you are using an ISA server for this, which usually uses their domain login, so that wouldn't help them if their password expired. And it will be an issue. Even though people get warnings 14 days in advance, they often let them expire. Having said that, maybe you could set a vpn password that's different from their domain logins and that doesn't expire. Make it local to the firewall with no access to the internal network they are connecting to and then require them to logon to the domain for proper access. I don't know how stringent your security requirements are or if that would be acceptable, but you'd avoid the issue of expiring domain passwords. Are these individual users scattered all over the place or in one site? Overall it sounds to me like you would be better off using a site-to-site VPN configured directly on the firewall or router that connects them to the internet. Set it up. Test it. Ship it out, etc. You might need someone there on day 1 to make sure it all works, but after that it would be pretty problem free.
Reply
Reply
post #7 of 10
10/8/09 at 6:33pm
Thread Starter 
Quote:
Originally Posted by GQgeek View Post
Roaming profiles don't solve your problem. They just make people's settings follow them from one computer to another, and without a connection to the domain they're useless.

They will, however, authenticate against the domain but at this juncture, this point is inconsequential.

Quote:
Originally Posted by GQgeek

Of course they can change their local passwords but that wouldn't help them with domain logins and that is the issue in my mind. I get the part about vpn before login. That's not really the issue either, as I see it. You mentioned SSO so I'm assuming, perhaps incorrectly, that you are using an ISA server for this, which usually uses their domain login, so that wouldn't help them if their password expired. And it will be an issue. Even though people get warnings 14 days in advance, they often let them expire.

This situation I am very familiar with, having worked as a tech lead in a large enterprise where we dealt with this on a daily basis. No ISA server at this point, just speaking towards SSO for Sharepoint/Exchange. Perhaps an ISA server is in the future but it'd be ideal to have that local to the client site. Syncing of passwords can be a huge pain in the rear, but it is ultimately just that in this situation; if security/password changes are the focus (which they are), that's really all we need to make certain of in this first 30 day period.

Quote:
Originally Posted by GQgeek
Having said that, maybe you could set a vpn password that's different from their domain logins and that doesn't expire. Make it local to the firewall with no access to the internal network they are connecting to and then require them to logon to the domain for proper access. I don't know how stringent your security requirements are or if that would be acceptable, but you'd avoid the issue of expiring domain passwords.

The VPN password will most certainly be different from their domain password but I'm not particularly fond of this approach, from an architectural security standpoint as you mentioned.

Quote:
Originally Posted by GQgeek
Are these individual users scattered all over the place or in one site? Overall it sounds to me like you would be better off using a site-to-site VPN configured directly on the firewall or router that connects them to the internet. Set it up. Test it. Ship it out, etc. You might need someone there on day 1 to make sure it all works, but after that it would be pretty problem free.
[/quote]

Unfortunately, scattered all over the country with a number (around 1/3?) here. The site-to-site VPN would be ideal for the local users of course, but does not aid with regards to the roaming ones. We plan to implement it anyways, as soon as we get this 5520 up and installed.
Reply
Reply
post #8 of 10
10/8/09 at 6:34pm
Thread Starter 
Quote:
Originally Posted by GQgeek View Post
Roaming profiles don't solve your problem. They just make people's settings follow them from one computer to another, and without a connection to the domain they're useless.

They will, however, authenticate against the domain but at this juncture, this point is inconsequential.


Quote:
Originally Posted by GQgeek

Of course they can change their local passwords but that wouldn't help them with domain logins and that is the issue in my mind. I get the part about vpn before login. That's not really the issue either, as I see it. You mentioned SSO so I'm assuming, perhaps incorrectly, that you are using an ISA server for this, which usually uses their domain login, so that wouldn't help them if their password expired. And it will be an issue. Even though people get warnings 14 days in advance, they often let them expire.

This situation I am very familiar with, having worked as a tech lead in a large enterprise where we dealt with this on a daily basis. No ISA server at this point, just speaking towards SSO for Sharepoint/Exchange. Perhaps an ISA server is in the future but it'd be ideal to have that local to the client site. Syncing of passwords can be a huge pain in the rear, but it is ultimately just that in this situation; if security/password changes are the focus (which they are), that's really all we need to make certain of in this first 30 day period.

Quote:
Originally Posted by GQgeek
Having said that, maybe you could set a vpn password that's different from their domain logins and that doesn't expire. Make it local to the firewall with no access to the internal network they are connecting to and then require them to logon to the domain for proper access. I don't know how stringent your security requirements are or if that would be acceptable, but you'd avoid the issue of expiring domain passwords.

The VPN password will most certainly be different from their domain password but I'm not particularly fond of this approach, from an architectural security standpoint as you mentioned.

Quote:
Originally Posted by GQgeek
Are these individual users scattered all over the place or in one site? Overall it sounds to me like you would be better off using a site-to-site VPN configured directly on the firewall or router that connects them to the internet. Set it up. Test it. Ship it out, etc. You might need someone there on day 1 to make sure it all works, but after that it would be pretty problem free.
[/quote]

Unfortunately, scattered all over the country with a number (around 1/3?) here. The site-to-site VPN would be ideal for the local users of course, but does not aid with regards to the roaming ones. We plan to implement it anyways, as soon as we get this 5520 up and installed.
Reply
Reply
post #9 of 10
10/8/09 at 6:36pm
Thread Starter 
Quote:
Originally Posted by GQgeek View Post
Roaming profiles don't solve your problem. They just make people's settings follow them from one computer to another, and without a connection to the domain they're useless.
They will, however, authenticate against the domain but at this juncture, this point is inconsequential.
Quote:
Originally Posted by GQgeek
Of course they can change their local passwords but that wouldn't help them with domain logins and that is the issue in my mind. I get the part about vpn before login. That's not really the issue either, as I see it. You mentioned SSO so I'm assuming, perhaps incorrectly, that you are using an ISA server for this, which usually uses their domain login, so that wouldn't help them if their password expired. And it will be an issue. Even though people get warnings 14 days in advance, they often let them expire.
As I thought (regarding changing local passwords). I don't know why it is that people think I mean changing the domain password without connecting to the DC. The engineer at the client site threw a hissy when I said, well, there's no reason they can't change their local password when they receive the PC.. once they VPN in, any domain authentication will force them to log into the domain separately but that is fine. He seemed to not understand and at the time, I wasn't sure enough to argue him down on a conference call. The situation of passwords expiring and the implications thereof I am very familiar with, having worked as a tech lead in a large enterprise where we dealt with this on a daily basis. No ISA server at this point, just speaking towards SSO for Sharepoint/Exchange. Perhaps an ISA server is in the future but it'd be ideal to have that local to the client site. Syncing of passwords can be a huge pain in the rear, but it is ultimately just that in this situation; if security/password changes are the focus (which they are), that's really all we need to make certain of in this first 30 day period.
Quote:
Originally Posted by GQgeek
Having said that, maybe you could set a vpn password that's different from their domain logins and that doesn't expire. Make it local to the firewall with no access to the internal network they are connecting to and then require them to logon to the domain for proper access. I don't know how stringent your security requirements are or if that would be acceptable, but you'd avoid the issue of expiring domain passwords.
The VPN password will most certainly be different from their domain password but I'm not particularly fond of this approach, from an architectural security standpoint as you mentioned.
Quote:
Originally Posted by GQgeek
Are these individual users scattered all over the place or in one site? Overall it sounds to me like you would be better off using a site-to-site VPN configured directly on the firewall or router that connects them to the internet. Set it up. Test it. Ship it out, etc. You might need someone there on day 1 to make sure it all works, but after that it would be pretty problem free.
Unfortunately, scattered all over the country with a number (around 1/3?) here. The site-to-site VPN would be ideal for the local users of course, but does not aid with regards to the roaming ones. We plan to implement it anyways, as soon as we get this 5520 up and installed.
Reply
Reply
post #10 of 10
10/8/09 at 6:51pm
For the roaming users, do they really need to be domain members with everything that entails? Is there a reason you aren't just installing a vpn on there and letting them connect when they feel like it? Is it a fear of viruses/worms getting in to the network and a desire to completely control everything they can do on their computers? Is there sensitive info on their laptops? You could isolate them at the ASA/network level when they connect to the 5520 via different address assignments and have firewalls configured to prevent anything nasty getting in to your internal network. Do you have an SSM-AIP-10 on that baby? That helps too. Just an idea. I don't have enough info to say whether it's a good one or not.
Reply
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Chat
Styleforum › Forums › General › General Chat › Any Windows Sysadmins out there?