Re: AD design question....again

On May 4, 7:22 pm, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
What do you want to secure against? If you are just going to have
students and teachers as users and one set of admins, you shouldn't need
security that requires separate forests. You get separate forests when
you can't trust the different sets of admins.

On your final question "can someone explain how someone in a child
domain can compromise the forest security"... No I hope no one does tell
you. It isn't something people should be explaining in public forums
because there is nothing you can do about it. Just know that it is
indeed quite easily possible for someone with control of any single DC
In the forest to gain control over the entire forest. At the very end of
the scale someone could start with ONLY physical access to a DC and at
the other end you could start with someone with server op or
administrator rights on a DC with no physical access. It is just a
matter of hops to get to Enterprise Admins. Just as soon as Microsoft
changes the core design of AD enough such that this type of escalation
can be completely blocked and I apply it for all of my customers, I
would be happy to describe how to do this in rich detail.

Note that the problem isn't just with "the administrator" account. Any
account with too many rights to the domain or DCs is a problem. This
includes EAs, DAs, ServOps, PrintOps, Backup Ops, people with
interactive logon rights to DCs, people with ability to modify system
files or services on DCs including printers.

Set up a single domain forest if you have no real reasons to do
otherwise and have a small set of people, say 3-5 tops who are DA/EA
level rights and everyone else are normal users with some people with
delegated rights to manipulate data in the directory.

The main technical reason for having separate domains in a single forest
is the desire to have different password policies. In longhorn AD due
out at the end of this year it is no longer necessary to have multiple
domains to have multiple policies.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



phil2...@xxxxxxxxx wrote:
We are in a school district with 500 staff and 4000 non staff. We are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?

We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.

With the Empty Root model the enterprise account is in it's own domain
which somewhat secures it, but this model requires more hardware.

If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.- Hide quoted text -

- Show quoted text -

Very thorough answer sir. Working backwards, we purchased software to
do password policies at the OU level, so we are covered there
regarding policies. So that eliminates the empty or root domain. I
know you and others are right about the securing the admin account,
but it is reassuring to know others are doing the same thing. Someone
reference you in another post as to you alluding to obtaining Ent.
admin access, but not going into detail and now I know why. Makes
sense. Thanks again.

.

Relevant Pages

  • Re: AD design question
    ... extra DCs in an empty root will do little good. ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... With the Empty Root model the enterprise account is in it's own ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... more than 100x more staff and 100x more students. ... I would just go down the path of a single domain/single forest model. ... not quite certain what you mean by "secure the administrator account". ... shouldn't even be using the builtin admin account after you setup the ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... access resources in other forest ... - empty domain model would not "secure" the enterprise admin ... enterprise admin group without physical access to the servers? ... With the Empty Root model the enterprise account is in it's own ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD design question
    ... You shouldn't even be using the builtin admin account after you setup the ... access resources in other forest ... enterprise admin group without physical access to the servers? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Question about Domain Structure?
    ... If you don't have the need for complete separate forests, for security boundary reason, then create a single forest domain and separate the offices within your OU structure, own OU for each country, just keep it simple. ... Configure AD sites and services according to your physical structure and use delegate control for the remote office admin, so they don;t have to be domain admin. ...
    (microsoft.public.windows.server.active_directory)
Loading