PCI - Windows Domain ADS configuratoin

I have a domain in our environment and I had a childdomain that I originally had configured for our retail operation. We are not working to make our environment PCI compliant. My question is should I create a separate domain for my retail environment or is it complaint to keep it as a child domain?



Quick thought is simply assess it based on the user in this different domain or zone, if they are specific in roles assigned for retail compared to other domain, then the child domain make sense to give the extra access right required compared to the global parent domain.

It is like under the Admin department, the HR grp should not be crossing sub domain to access the Finance grp resources, they are two sub branches under the Admin umbrella. Resource access are different for these two grp. If need be it can be even be one way trust domain depending on the scale of the grp and department, or even physical locality. Eventually the centralised AD is to maintain regardless of PCI for operational streamlined mgmt and oversight on account review to kick out unnecessary account like suspended and redundant orphaned ones.

It is really down to scoping for PCI but if that is not the intend, I see it operational messy to assign permission granularity if user starting assuming multiple roles and need to be on the need to know basis principle based on Enterprise policy.



Quick thought is simply assess it based on the user in this different domain or zone, if they are specific in roles assigned for retail compared to other domain, then the child domain make sense to give the extra access right required compared to the global parent domain.

It is like under the Admin department, the HR grp should not be crossing sub domain to access the Finance grp resources, they are two sub branches under the Admin umbrella. Resource access are different for these two grp. If need be it can be even be one way trust domain depending on the scale of the grp and department, or even physical locality. Eventually the centralised AD is to maintain regardless of PCI for operational streamlined mgmt and oversight on account review to kick out unnecessary account like suspended and redundant orphaned ones.

It is really down to scoping for PCI but if that is not the intend, I see it operational messy to assign permission granularity if user starting assuming multiple roles and need to be on the need to know basis principle based on Enterprise policy.



Aint it hard to get around with 2 domains?



probably different OU but same domain depending on role and duties separation. regardless, go for least principles and beware of those with privilege and dormant account, that need regime to review their activities and state to deactivate as req





Share this

Related Posts

There was an error in this gadget