Freigeben über


ADFS and Domain Admins (or anyone else for that matter)

I spend a lot of time answering questions or making comments in e-mails that would make good blog posts.  So it may seem a bit cheesy (at least it does to me), but it's turning out that reposting these e-mails seems like an easy way to do this...so here's another one...hope you don't mind (again, some edits to protect the innocent)...(and fix typo's)...

________________________________________
From: Brian Puhl
Sent: Monday, September 18, 2006 1:18 AM
To: ADFS Discussion
Subject: RE: Domain Admin and ADFS

More generically – it’s a good thing to remember that anyone who can join an machine to a domain, can install ADFS and create federations.

We had several conversations with the ADFS team during R2 dogfooding about this – to summarize weeks of discussions into a couple of bullet points:

  • Generally speaking, “IT” controls the network perimeter – So the ‘threat’ of setting up an incoming federation to allow 3rd party access to your network would require someone who was deploying ADFS to also be able to deploy applications to the internet
  • Anyone could configure ADFS, and work with a partner to configure an outbound federation, enabling all users in the directory (and trust realm) to ADFS authenticate to an application. The primary concern here was data disclosure, but the only data they could disclose are things that are already readable by the user in the directory anyways, so there were a lot easier ways to disclose this info if that was the goal.

From the MS IT perspective, our largest concern was actually the support impact. For example, you go to a website one day, and it just suddenly “logs you in”, because someone internally joined an R2 machine to the domain, and worked with the application owner to set up the federation. This is all goodness, until the day that the federation breaks – Because the users will call the help desk (approx $50 per call), and it is extremely difficult to track down where the federation server is, who owns it, how it’s configured, why it broke, etc… All of this takes administrator time and effort ($$$), for what is essentially a user impacting rogue application.

The ADFS Product Group has a DCR <Design Change Request> to give us more control over rogue ADFS instances in LH Server. I don't know the status, but they understand the problem of needing to answer the question "Who do we have federations with." 

Brian Puhl
Microsoft IT

--------------------------------------------------------------------------------

From: T
Sent: Monday, September 18, 2006 12:36 AM
To: ADFS Discussion
Subject: RE: Domain Admin and ADFS

No, as domain admins can do whatever they want to in their domain

--------------------------------------------------------------------------------

From: M
Sent: 15 września 2006 19:32
To: ADFS Discussion
Subject: Domain Admin and ADFS

QUESTION:

<My customer with multiple domains> are going to upgrade their servers to R2 and they want to know if there is any way to prevent Domain Admins of installing and configuring ADFS

Any comment/suggestion will be greatly appreciated

Best regards,
M

Comments

  • Anonymous
    September 18, 2006
    The comment has been removed

  • Anonymous
    October 30, 2007
    adultfriendfind is alright, i know these two companys are at war with the dating niche. : At [url=http://online4love.com]dating[/url], we will see how comes out at the end

  • Anonymous
    January 12, 2008
    Hi people!!! I want introduce my [url=http://www.xrum.977mb.com]new year foto. [/url]

  • Anonymous
    February 29, 2008
    1Wxbz1 r u crazzy? I told u! I can't read!

  • Anonymous
    March 01, 2008
    IeAc6z r u crazzy? I told u! I can't read!

  • Anonymous
    March 06, 2008
    Hello, of course I came to visit your site and thanks for letting me know about it. I just read this post and wanted to say it is full of number one resources. Some I am familiar with. For those who don’t know these other sites they are in for a treat as there is a lot to learn there.

  • Anonymous
    March 06, 2008
    sj9Ncg r u crazzy? I told u! I can't read, man!

  • Anonymous
    March 06, 2008
    kGtArF r u crazzy? I told u! I can't read!

  • Anonymous
    March 07, 2008
    FIH3ZX r u crazzy? I told u! I can't read!

  • Anonymous
    March 07, 2008
    jklZcK r u crazzy? I told u! I can't read!

  • Anonymous
    March 07, 2008
    Q7B9WJ r u crazzy? I told u! I can't read!

  • Anonymous
    March 07, 2008
    PCjhrk r u crazzy? I told u! I can't read!

  • Anonymous
    March 08, 2008
    bk7Qmi r u crazzy? I told u! I can't read!

  • Anonymous
    March 08, 2008
    TfPa2F r u crazzy? I told u! I can't read!

  • Anonymous
    March 20, 2008
    hN2b2k Cool, bro! http://groups.google.com/group/clock-screensaver/web/1 [url=http://groups.google.com/group/clock-screensaver/web/1]clock screensaver[/url], <a href="http://groups.google.com/group/clock-screensaver/web/1">clock screensaver</a>