Re: Reasons for Empty (headless root) Root
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sat, 19 May 2007 10:14:48 -0400
Nope, I won't go into details about it. There is nothing that can be done to stop it, just going around describing it to people does nothing to help the situation. There is a book by my friend Guido Grillenmeier which unfortunately alludes to how it can be done, I can't say I was too thrilled to read how much detail he gave about the problem. Truly and honestly, it is so trivial, anyone with a relatively decent grasp of AD that spends an hour thinking about how they would try to do it will likely come up with at least one way to do it. There are both trivial ways and not so trivial ways.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Chelis Guifoyle wrote:
Wow, that is certainly eye opening.. would you care to describe offline on how domains can affect other domains (I can email you directly). I dont know where I got the idea that they were secure, but I guess it was taught to me somewhere.. :(.
That was primarily the reason for going to a new domain, as well as part of the reason of the creation of our other domain.. that's some serious bad vibe there.
I am very interested in learning more about how the security is between domain and domain vs forest. I feel like all that I know about Windows domains is bunk right now.
"Joe Richards [MVP]" wrote:
> Do you disagree with me by saying a domain is also a security
> boundary in that the administrative control is cut off from
> other domains such that it cannot directly affect them?
Yes I completely disagree with that statement. That is why MSFT says the forest is a security boundary, not the domain. It is why a bunch of us beat up on MSFT back in 2000 when they tried to say the domain was a security boundary. I quickly and easily compromised a root domain from a child domain for the first time in about May 2000 showing how simple it was and nothing has changed. I won't go into details but it is quite trivial for a DA or even Serv Op in Domain 1 to go screw with Domain 2.
Domains are sort of a replication boundary, the config and schema replicate across all DCs in a forest and also obviously GCs replicate across domain NC boundaries.
Domains are sort of a Group Policy boundary, you can have GPOs that are set on sites which are forest scope.
Domains are a password policy boundary, that is definitive. Well that is until until Longhorn, and then fine grained password policy blows that out the window as well removing one of the only truly technical reasons to have multiple domains.
I think that if you think you put the second domain in place only to give another set of folks DA over it and you think they can't hurt anything else in the forest, you are under serious misunderstandings of how Windows Active Directory security works and likely you never should have moved from a single domain forest configuration. Multiple domain forests should have all domains managed by the same set of domain/enterprise admins and that number of domain admins should not number more than 3-5. Everyone else should have minimal delegated rights into the directory and no one else should have direct access to the DCs.
The walls that separate domain admins in different domains in the same forest are made out of razor thin tissue paper.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Chelis Guifoyle wrote:When I say more security I mean in that, the forest in itself is protected by the fact that certain active security principals would be moved off into a separate boundary being that child domain. These principals that would normally have had free reign to do things in the root, would now be isolated to only do things in their domain vs affecting the entire forest via the root....
Do you disagree with me by saying a domain is also a security boundary in that the administrative control is cut off from other domains such that it cannot directly affect them?
I guess one could argue about how the root (er initial domain) was administered, but that's beside the point....
What is comes down to is our company started a 2nd domain based on geographical boundaries. This child has its own administrative control to a degree... their staff administer their own domain for the most part. Now it comes down to for our team, since we've been on the root from the beginning, maybe we should follow suit and base it geographically, move everyone off into a new child, empty out the root, and create only specific accounts in the root...
What do you think?
"Joe Richards [MVP]" wrote:
You are wrong if you think it gives more security. The forest, not the domain is the security boundary, what security benefit do you get moving objects around within the boundary?
My opinion on whether it is good or not depends on the company I am talking to and their states goals/desires. Most companies, I think it is a bad idea, in fact, I think they should have a single domain forest. Other companies, notably some of the Fortune 5 companies I have worked on I wouldn't have implemented it any other way. Again, depends on the company and whether it makes sense at that company.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Chelis Guifoyle wrote:What is your opinion on why its good vs bad? I'm curious to hear more on the topic...
The only thing I see is moving users off the forest root which would allow for somewhat greater security of the forest/enterprise. Am I on the wrong track here?
Thanks!!
"Joe Richards [MVP]" wrote:
This can be debated for days, it depends entirely on the company and the goals and what kind of administrative overhead a company is willing to accept for an empty root. In general smaller companies don't usually do it but larger companies are more likely to do it but again, it is all based on things specific to those companies. There is no security benefit of doing this.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Chelis Guifoyle wrote:What are the pros and cons or why/why nots for moving off the root domain and into a child? We already have 2 childs based off geographical means, our first domain, where most users first originated are still on root. Ideally we'd like to move these original users to a new domain that is more akin to the geographical standard already set.
Thanks in advance.
- Follow-Ups:
- References:
- Re: Reasons for Empty (headless root) Root
- From: Joe Richards [MVP]
- Re: Reasons for Empty (headless root) Root
- From: Joe Richards [MVP]
- Re: Reasons for Empty (headless root) Root
- From: Chelis Guifoyle
- Re: Reasons for Empty (headless root) Root
- From: Joe Richards [MVP]
- Re: Reasons for Empty (headless root) Root
- From: Chelis Guifoyle
- Re: Reasons for Empty (headless root) Root
- Prev by Date: Re: Forcing mobile users to log into Domain account when in workplace
- Next by Date: Re: "Deleted Objects" container permissions
- Previous by thread: Re: Reasons for Empty (headless root) Root
- Next by thread: Re: Reasons for Empty (headless root) Root
- Index(es):
Relevant Pages
|
