Person1 Posted May 23, 2006 Share Posted May 23, 2006 We have a 2003 Active Directory domain. We are currently working on setting up an SFTP Server for our company in which the software will talk to an AD domain for user credentials. We want to use an AD domain for this because of some of the extra features it offers. I am trying to decide where I want to setup the SFTP users since they will be external users. By external I mean customer throughout the world.Currently we have no external users in our AD environment and I am trying to figure out how to add them in the most secure manner. I don't want them to have access to anything other than the SFTP server. Here are the options as I see them:1. Create a new OU in our domain. Create a new group called SFTP or whatever we want to name it. Then create the user accounts for the external users and add them to the SFTP group. For each user set the SFTP group to the primary and remove them from the Domain users group. One issue with this setup is that we misued the Everyone group in the past and we currently do not have the time to go back to everywhere it was used and fix it. So the external users in theory would have access to some shares because of the use of the Everyone group.2. Setup a new Domain under our Forest.3. Setup a child domain under our Domain.4. Setup a completely different Forest and domain for this. Any opinions would be greatly appreciated. Which option would you choose or is there another way of doing this that I am not thinking of?Thanks!Eric Link to comment Share on other sites More sharing options...
Zartach Posted May 23, 2006 Share Posted May 23, 2006 The best thing is using groups, as they are to be used to set permissions and rights. You can always add the users to a separate OU and link a specialy customized security GPO to it to secure it further, and have the users in a separate location in the AD overview.You will need to look at the everyone group thing cause i will cause people to have access to those recources no matter where they are from.Also if you are only looking to add users to a SFTP (what application are you using here IIS?) you may want to investigate the option to just add the users to the application and dont use AD for authentification at all. That way the users cant ever access the AD.Hope it helps, Link to comment Share on other sites More sharing options...
Person1 Posted May 23, 2006 Author Share Posted May 23, 2006 Thanks for the reply!The everyone group issue definately needs to be addressed. It is just going to take more time than I have since I have to get this SFTP site up and running ASP.We are using a third party product Globalscape EFT Server. We have to use AD because of the way there Gateway DMZ server interfaces with the back end server. There are also a few other options we are going to use that are easier done with AD.Thanks,Eric Link to comment Share on other sites More sharing options...
cluberti Posted May 23, 2006 Share Posted May 23, 2006 Why don't you use ADAM and set up a separate AD for the SFTP/external users? You could set up a one-way trust as well, if necessary. This would keep your internal and external userbase separated. Link to comment Share on other sites More sharing options...
Person1 Posted May 23, 2006 Author Share Posted May 23, 2006 cluberti,That is a very good option! I am going to look more into setting up ADAM to see if it is what I am looking for.Thanks!Eric Link to comment Share on other sites More sharing options...
tguy Posted May 23, 2006 Share Posted May 23, 2006 Cluberti is right, ADAM is the way to go, then you can put the ADAM server in your DMZ network and you'll just have to open port 636 (secure LDAP) through the firewall to have it talk to the other domain for authentication. A host of other defined ports are necessary to create the trust through a firewall.There is a KB article on how to do it.Good luck. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now