Active Directory - security boundaries
- From: "David Chadwick" <david@xxxxxxxxxxxxxxx>
- Date: Tue, 29 Aug 2006 12:09:27 +1000
Hi,
I hear time and time again that a domain is not a security boundary in AD
and that only the forest is a true security boundary. Obviously this is
technically true.
My question is not because I don't understand AD structure, but because I'm
trying to understand what the risks are in using multiple domains in a
forest rather than separate forests. I understand the technical side of AD,
but not necessarily the theory and the "why".
Let's say we have a typical scenario - an internal domain for normal company
users and an external domain in the perimeter for customers. I'm trying to
understand the fundamental security differences (I understand the schema
side of things) between having these domains in separate forests or in the
same forest.
Scenario 1 - separate forests with a 1-way trust where the external domain
trusts the internal domain. Both domains are forest roots.
Scenario 2 - external domain is in the same forest either as a child domain
or the root of a new tree. Internal domain is the forest root.
In my experience "security experts" always recommend scenario 1 and it makes
sense that it would be more secure. However, no one has been able to
articulate to me exactly WHY it is more secure at a technical level. Why is
a separate domain in the same forest not an "acceptable security boundary"?
My understanding is as follows:
Domains are in the same forest. Internal domain is the tree root. Internal
and external domain will trust each other for authentication (due to
automatic trusts between domains within a forest). I'm happy that all
administrators in the internal domain (which is the forest root) will
automatically be able to administer the external domain. The reverse should
not be true though, as the external domain is not the tree root - right?
Users in the external domain can only access resources that they have group
membership of. If they aren't members of groups that have access to any
resources in the internal domain, then what is the problem? They have
effectively been isolated in their own "security boundary", haven't they?
With the other scenario (separate forests plus 1-way trust), isn't the same
the case? They still wont be able to access resources in the internal
domain as they can't be in resource groups from this domain. The difference
is that it's not even POSSIBLE for them to be in these groups, as the
internal forest does not trust the external forest (it's only the other way
around).
Is that the only difference? The fact that scenario 1 is more secure
because it makes it impossible to "accidentally" give them access to
internal resources (because the trusts don't allow it)? That's a fair
enough reason that it is more secure, I realise this.
However, let's say you can guarantee that no administrator will ever make a
mistake in scenario 2 and the external users will never be placed in groups
that have access to internal resources. I realise that in the real-world
you can't guarantee this, and that's why you'd make the decision to use
scenario 1 in the first place, but I am trying to understand the
technicalities here rather than the realities.
If we can assume that these users will never be placed in groups that give
them access to internal resources, then this would be secure too, wouldn't
it? Again, keep in mind that I am trying to work out the technicalities
rather than real-world. I want to understand the validity of saying "given
the assumption that users in the external domain will never be placed in
groups that give them access to internal resources, then they are
effectively in a security boundary". Of course in reality the fact that an
administrator COULD put them in one of these groups (accidentally or on
purpose) makes it less secure by definition.
Here is another scenario I have been asked to implement:
The finance department does not want to be on our domain as they don't trust
the administrators of the company domain with access to their files. In a
100% secure world we'd say "the only true security boundary is a forest,
create your own forest". In the real world, they need to be part of our
Exchange 2003 organisation and none of that works across forests.
So instead of separate forests, we implement the following:
Placeholder forest root domain, only a single trusted administrator has
access (me :))
Tree root domain for standard company stuff (the normal IT admins live here)
Tree root domain for finance department (with their own admins)
This effectively achieves a security boundary between us, doesn't it? The
administrators in the standard company domain will not be able to grant
themselves access to resources in the finance domain (and vice versa). We
would be able to grant THEM access to our resources (and they could grant us
access to theirs), but the point is that administrators in each domain
wouldn't be able to grant themselves access to resources in the other
domain. That's correct, isn't it? The only person who could grant
themselves access to resources in both domains would be me, as I control the
forest root and can therefore be an Enterprise Admin etc.
In this scenario, you HAVE to use 3 domains to achieve what we need, is that
right? If either the standard internal domain or the finance domain is the
forest root, then all those administrators can escalate themselves to be
Enterprise Administrators and therefore grant themselves access to the other
domain. The only way to stop this happening is to make a placeholder tree
root and make only super-trusted users administrators in the root.
Obviously from a "political" point of view this requires the owners of both
the standard internal domain and the finance domain to agree that it is ok
for a third-party (me) to be the "overall administrator".
The only TRUE way for the finance people to know that only they have access
to their stuff is to be in their own forest - but assuming they are happy
with knowing just 1 person (or a subset) or administrators have access to
the forest root, then am I correct in thinking that all the other
administrators of the standard domain can't grant themselves access to
resources in the finance domain? Am I also correct in thinking that the
only way to achieve this is with 3 domains (because I can't allow either of
the other domains to be the forest root)?
Sorry about the long post. I'm grateful for any insights!
Cheers,
David
.
- Follow-Ups:
- Re: Active Directory - security boundaries
- From: Joe Richards [MVP]
- Re: Active Directory - security boundaries
- Prev by Date: Re: How many DC's for 15,000 users ? Where is the documentation ?
- Next by Date: Re: AD Delagation
- Previous by thread: Re: Password expirey
- Next by thread: Re: Active Directory - security boundaries
- Index(es):
Relevant Pages
|
