I think it is better to describe a domain as a policy and administration boundary (and a replication boundary), rather than a weak security boundary. It is more precise, and IMO, given the automatic domain trusts in a forest, there is not much of a security boundary between domains.
And given the ease with which malware is distributed (through email and web pages for instance), the distinction between "criminal" and "unintentional" is thin, if not non-existent. People with criminal intent subvert administrative machines and accounts all the time. So even if you think your domain admin threats are all in the non-malicious category (not a smart way to think in any case), once the domain admin is exposed to some malware script, they've effectively taken on the criminal intent. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, October 17, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Global Catalog |So why don't you agree with the "general - forest is the |security boundary - statement"? Cause IMHO the domain is a security boundary against accidential security issues, the forest against malicious/criminal. Companies usually trust their admins of different domains but might want to protect them against accidential mistakes or gaining rights easily. A different domain would be sufficient then. However if you want to protect yourself against admins with criminal energy (and I consider manipulating SID-History on purpose as criminal energy) the forest is the security boundary. So I agree a plain vanilla statement "the domain is the security boundary" is wrong, however I don't like the same plain vanilla statement of the forest - should be more clearly pointed out if we are talking about criminal intentions or accidential intentions (which includes let's try quickly if we are able to ... - does not include hacking). Ulf |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Monday, October 17, 2005 11:59 PM |To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |Well, I call it that way because a user can authenticate with |only DCs from its domain available (assuming the requirement |for a GC is disabled) but cannot authenticate without a DC |from its domain while having a GC available. You are correct |that any GC in the forest may be used if the GC requirement is |enabled (by default) or even use the crappy "universal group |caching feature". So you need a DC from your domain to |authenticate and that is why a domain is called the |authentication boundary (at least for me ;-) ) | |So why don't you agree with the "general - forest is the |security boundary - statement"? |Jorge | |________________________________ | |From: [EMAIL PROTECTED] on behalf of Ulf B. |Simon-Weidner |Sent: Mon 10/17/2005 11:24 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | | | |Hmm - I wouldn't 100% call the domain the authentication "boundary". | |Authentication in a W2k+ Network without any mods not to rely |on the GC is done - as you said - via DC of the same domain |the account resides plus any GC of the forest - not |necessarily that a GC which resides in the same domain is |available but the logon will work. | |Ulf "I also don't agree with the general 'Forest is the |security boundary'-statement" B. Simon-Weidner | ||-----Original Message----- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, ||Jorge de ||Sent: Monday, October 17, 2005 6:47 PM ||To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Global Catalog || ||Yes you are correct. The answer is No. A domain within a |forest is the ||authentication boundary. So when all DCs of domain "other.biz" are ||unavailable the users from "other.biz" ||will not be able to log on as there is no DC available to |authenticate ||the user at logon and create the access token. ||During logon a GC is contacted to check if universal group |memberships ||exist for the user account logging on. || ||Jorge || ||________________________________ || ||From: [EMAIL PROTECTED] on behalf of Pete ||Sent: Mon 10/17/2005 5:57 PM ||To: ActiveDir@mail.activedir.org ||Subject: [ActiveDir] Global Catalog || || || ||Hi || ||Just a quick and easy question to profs: || ||Can AD domain controller of one domain (one.com) with Global Catalog ||function enabled somehow process logon request of user from different ||domain (other.biz), in case when all domain controllers for |that other ||domain (other.biz) are not reachable? || ||I believe - no. ||Am I right? || ||Thanks, || ||Pete || || ||-- ||Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/ ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || || || || ||This e-mail and any attachment is for authorised use by the intended ||recipient(s) only. It may contain proprietary material, confidential ||information and/or be subject to legal privilege. It should not be ||copied, disclosed to, retained or used by, any other party. |If you are ||not an intended recipient then please promptly delete this e-mail and ||any attachment and all copies and inform the sender. Thank you. ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
