Re: AD design question
- From: phil2627@xxxxxxxxx
- Date: 4 May 2007 17:21:56 -0700
On May 4, 7:29 pm, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
Just so we are clear though, a rough admin in one domain of a
multidomain forest has far greater ability to impact the forest than a
rogue admin in an explicitely trusted domain.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Jeremy wrote:
In a normal case a Domain Admin of a subordinate domain wouldn't be able
to change the membership of accounts in any other domain unless you
explicitly allowed it. In a multi-domain model while the TRUST is
implicit, the rights aren't implicit up the tree.
Now if you are talking about a rogue administrator, well then they can
do lots of bad stuff, not limited to dropping keystroke logger on a
machine and wait for someone who is enterprise admin of the parent
domain to log in, but this would be no different if you had constructed
a manual two-way trust between two disparate forests. There isn't much
you can do to protect youself from a rogue administrator except log and
review.
For a school environment I'd be going for lesser cost in overhead and
therefore better services for end-users, since I assume that funds are
limited. If you are careful about what rights you give people and
secure your generic accounts then turn on your audit logging and
ACTUALLY LOOK AT THE LOGS!! :) Then you will be fine.
Hope this helps,
Cheers,
Jeremy.
<phil2...@xxxxxxxxx> wrote in message
news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We are in a school district with 500 staff and 4000 non staff. We
are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?
We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.
With the Empty Root model the enterprise account is in it's own
domain
which somewhat secures it, but this model requires more hardware.
If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.- Hide quoted text -
- Show quoted text -
I am now leaning towards the single domain and feeling better about
the intial decision. But what is the impact of separate forests or
domain trees ? I need to be able to explain the negative in these 2
models, especially the separate forests model since that stresses
security. Thanks again everyone.
.
- Follow-Ups:
- Re: AD design question
- From: Jeremy
- Re: AD design question
- References:
- AD design question
- From: phil2627
- Re: AD design question
- From: Jeremy
- Re: AD design question
- From: Joe Richards [MVP]
- AD design question
- Prev by Date: Re: Site and Services Question
- Next by Date: Re: AD design question
- Previous by thread: Re: AD design question
- Next by thread: Re: AD design question
- Index(es):
Relevant Pages
|
