Re: AD design question
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sun, 06 May 2007 20:42:20 -0400
> there was a two way trust between then it amounts to the same
> thing.
Well no not really, a single forest with two domains and two single domain forests that are tied with explicit trusts have different security issues. You put me on a DC in one of the domains of the single forest and within a short period of time, I will be an enterprise admin. You do the same with two explicitly trusted forests will not necessarily be something I can compromise, depends on several configuration settings and whether or not you override the secure defaults.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Jeremy wrote:
The reason behind what Joe said is that in a single forest each domain trusts every other domain both ways. where is an explicitly deinfed trust it is only between the two domains (unless you do a forest trust). But if you were only going to have two forests, with one domain each, and there was a two way trust between then it amounts to the same thing. But I would only do this to try to protect myself from rogue admins depending on the security classification of the environment..
<phil2627@xxxxxxxxx> wrote in message news:1178324516.560742.80820@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxOn May 4, 7:29 pm, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
Just so we are clear though, a rough admin in one domain of a
multidomain forest has far greater ability to impact the forest than a
rogue admin in an explicitely trusted domain.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Jeremy wrote:
> In a normal case a Domain Admin of a subordinate domain wouldn't be > able
> to change the membership of accounts in any other domain unless you
> explicitly allowed it. In a multi-domain model while the TRUST is
> implicit, the rights aren't implicit up the tree.
> Now if you are talking about a rogue administrator, well then they can
> do lots of bad stuff, not limited to dropping keystroke logger on a
> machine and wait for someone who is enterprise admin of the parent
> domain to log in, but this would be no different if you had constructed
> a manual two-way trust between two disparate forests. There isn't much
> you can do to protect youself from a rogue administrator except log and
> review.
> For a school environment I'd be going for lesser cost in overhead and
> therefore better services for end-users, since I assume that funds are
> limited. If you are careful about what rights you give people and
> secure your generic accounts then turn on your audit logging and
> ACTUALLY LOOK AT THE LOGS!! :) Then you will be fine.
> Hope this helps,
> Cheers,
> Jeremy.
> <phil2...@xxxxxxxxx> wrote in message
>news:1178312811.523579.14990@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> We are in a school district with 500 staff and 4000 non staff. We
>> are
>> still undecided on the model, but know the following
>> - only real secure model is separate forest, where staff could be in
>> one and non staff in the other and setup trusts to have certain staff
>> access resources in other forest
>> - One forest, domain model is simple, and the suggested way to go
>> unless there are political or admin delegation reasons
>> - empty domain model would not "secure" the enterprise admin
>> accounts. But, can Domain admins in a child domain access the
>> enterprise admin group without physical access to the servers ?
>> We would like to go with the single domain as, if we secure the
>> administrator account, no user should be able to gain access to the
>> domain admin or enterprise admin group.
>> With the Empty Root model the enterprise account is in it's own
>> domain
>> which somewhat secures it, but this model requires more hardware.
>> If someone could please explain how a person in a child domain can
>> gain access to the enteprise account and compromise the security of
>> the forest overall I can go on with completing our single domain
>> model. Thanks.- Hide quoted text -
- Show quoted text -
I am now leaning towards the single domain and feeling better about
the intial decision. But what is the impact of separate forests or
domain trees ? I need to be able to explain the negative in these 2
models, especially the separate forests model since that stresses
security. Thanks again everyone.
- Follow-Ups:
- Re: AD design question
- From: phil2627
- Re: AD design question
- References:
- AD design question
- From: phil2627
- Re: AD design question
- From: Jeremy
- Re: AD design question
- From: Joe Richards [MVP]
- Re: AD design question
- From: phil2627
- Re: AD design question
- From: Jeremy
- AD design question
- Prev by Date: Re: How to edit host file using GPO
- Next by Date: Re: Directory Services Not Starting on DC
- Previous by thread: Re: AD design question
- Next by thread: Re: AD design question
- Index(es):
Relevant Pages
|
Loading
