Re: Forest = Security Boundary?
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Mon, 12 Feb 2007 19:33:34 -0600
"Gabriel/TFI" <GabrielTFI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E19FEB8D-9A03-47AA-B17C-97F2C5377F07@xxxxxxxxxxxxxxxx
I am reading the great book "Active Directory 3rd Edition" by Joe Richards
&
Co.
Maybe Joe will (also) responds; his is one of the most helpful posters on
the AD groups.
In Chapter 8, "Designing the Namespace", it is said that "The Forest, not
the domain, is the security boundary for AD. Anyone with high-level access
rights on any domain controller in any forest can negatively impact or
take
control of any other DC or domain in the forest".
I thought that the domain was the security boundary! :-(
It is, but only sort of, or in certain ways. The problem and the confusion
is that with trusts the boundary gets extended to all TRUSTED domains,
and since all of the domains in a forest trust each other the boundary in
some real sense expands to encompass the entire forest.
- Does this mean that delegating administrative privileges over domains
(e.g. different BUs) is a bad practice?
No. It just means that your have to recognize that you aren't achieving
"complete autonomy" as long as you are in the same forest.
- How can an evil-administrator of a child domain compromise another
domain
or the entire forest? What tecniques can be used to achieve this?
There are a variety of things -- let's see if Joe will post a list....
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Prev by Date: Re: Adding An XP Client
- Next by Date: Re: Domain trouble
- Previous by thread: Re: Adding An XP Client
- Next by thread: Re: Forest = Security Boundary?
- Index(es):
Relevant Pages
|
