This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM doesn't support Microsofts A-G-DL-P concept in AD-Authentication

Hi,

as you know (i hope so) Microsoft recommends the AGDLP principle for implementing access control rights since 1993.

https://en.wikipedia.org/wiki/AGDLP
We are just in the process of tidying up our Active Directory structure and going strict after AGDLP. But yesterday I had to learn the hard way that this doesn't work with Sophos.

Example:

Create a group "UTM-WebAccess-Full" and add the group "IT-Administrators" to it. Everyone inside the "IT-Administrators" group won't have access to the WebAdmin. You have to add every single user to the "UTM-WebAccess-Full" group to get this to work.

In a nutshell: Shophos UTM basically doesn't support nested groups in AD-Authentication.

This is against the AGDLP principle that Microsoft recommends for ages. I am really shocked that Sophos doesn't support this.

As we are not a Sophos Partner, can someone of you please file this as a bug report to Sophos?

Thanks in advance,

Dino

This thread was automatically locked due to age.

0 BAlfson over 5 years ago

Hallo Dino,

Are you talking about nested Security Groups in AD or nested groups in WebAdmin?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 ipzipzap over 5 years ago in reply to BAlfson

Hi Bob,

of course nested groups in AD as defined by Microsoft in the AGDLP concept.

cu,

Dino
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 5 years ago in reply to ipzipzap

You're right, Dino. I got this confirmed by a knowledgeable Sophos engineer. You might want to vote for User Portal: Using nested Active Directory Groups in allowed users.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 ipzipzap over 5 years ago in reply to BAlfson

No way?!

Thanks a lot for asking your Sophos Contact, Bob.

I think it's rediculous and simply unbelievable that Sophos doesn't support one of the most fundamental and recommended AD principles. :-(

And I checked your link to the Voting: It's from 2013. Do you really think someome at Sophos gives a f... cares?

I think we have to reconsider our AD design, again :-(

cu,
Dino
Cancel
Vote Up 0 Vote Down

Cancel