Re: Are Domains True Security Boundaries?

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 09/14/04 

Date: Tue, 14 Sep 2004 15:45:36 +0100

John,

A Domain is a boundary of security policy only.
The ONLY true bondary of security is the Forest.
So if you do not trust a group of "domain admin" who for whatever reason you
give their own Domain to then that Domain and those Domain Admins should not
exist within your forest.
The security ramifications go deeper in that you actually have to trust all
your service admins across the entire forest

You need to get your overall structure of ownership and responsibility
sorted before you can get to your Domain model.
If the European banks wants autonomy - whet? are they allowed to have it ?
who is running he overall Enterprise here, can you all agree on having one
group of people have ultimate control of Enterprise wide resources in the
directory such as the schema and the configuration naming contexts.

This is hugely complex are and beyond the scope of a simple newsgroup
response.

have you read and digested all the appropriate planning and guidance
documentation we produce on this ?
See the deployment planning guides and various whitepapers.
Start with the Windows Server 2003 Deployment Resource Kit 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"John" <test@nowhere.net> wrote in message 
news:eRdCY4lmEHA.2968@TK2MSFTNGP14.phx.gbl...
> Our global company (only about 30,000 users) is in heated debates about
> whether to have one domain or multiple domains.   We have determined that
> the direction of the company is to centralize IT, although we aren't 100%
> there yet.   We propose building a model with a "core team" able to act in
> Domain Admin roles, while "weeding out" all the current domain admins that
> are not "trusted" in the company.
>
> We have a common security policy, a few core enterprise applications that
> are looking for a simplified implementation, and our users desire ease of
> access regardless of where they sit in the company.  (lots of salesmen, 
> lots
> of travelling)   We have even worked through the language issues that 
> might
> exist.
>
> What we struggle with is the concept of a domain being a security 
> boundary.
> For example, our European group has a largely decentrailized IT structure
> currently.   They claim they would like all 20 of their current Domain
> Admins to have Domain Admin access.  They state for this reason that they
> want a second domain so that they can apply these rights to these
> individuals.
>
> We feel that adding a second domain and giving untrusted domain admin 
> rights
> away would compromise the entire structure we are trying to build, as well
> as undermine the goal of centralized IT.   The thought was that if they
> truely had the need to be separated in this manner a separate forest would
> be the true way of separating them out.  However, a second forest is not 
> an
> option for our discussion.
>
> Does anyone have any thoughts on this?  Can we really add a second domain
> and give all these admins rights and still maintain integrity and 
> security?
> If so, should it be a child domain?   Or are we best to follow the 
> business
> and IT initiative to centralize and work toward "globalization" of our
> company.
>
>