Hi Gil, (btw - was nice meeting you finally in person)
You're right, that might be a better wording. However I didn't mean that I do not agree that the forest is the security boundary, however I do not like people using that term without being more specific. This will lead customers who are not enough into details to deploy multiple forests in scenarious where multiple domains (if even that) would have been sufficient. Keeping viruses, malware, and the regular "I'm admin - so let's surf the web" aside. Companies who might trust their admins but have to many users to trust each of them might deploy multiple forests b/c they are afraid that users might try to (hack/)try to get into other domains. However case like this it _might_ be overrated to deploy different forest, cause it's way harder for a regular user to get into another domain (and to valuable data there) than it is for a admin, the scenario is more difficult to administer (which might lead to loosened security and/or more admins you'll have to trust) and the phyiscal security might not be in place to justify such a scenario (the users might still hop around in the same building without distinguished building security[1] or network boundaries[2]). I do not think that all domain admin threads are in the non-malicious category, and I don't think that forests shouldn't be mentioned as security boundary, however I think if you do mention that you also need to clarify against which threads you're deploying additional forests and what also needs to be applied in the company if you need that level of security for certain parts. In many cases a proper investment into security is better placed by drilling security into the heads of the admins (you're surfing the web as admin? Put your fingers on the table! Slap! ;-) [3] ) than deploying multiple forests without taking additional measures and wrongly believe it's buying you 100% security. Ulf [1] meaning that people having access to forest A only shouldn't have physical access to any machines in the office running in forest B and vice versa [2] different wires, VLANs, or a generic network with people VPNing into their infrastructure. I don't trust our friends aka "the unintentional fighter against security" aka devs. There are somewhere passwords on the wire in almost every network, and this thread is dependant on your number of in-house developed apps IMHO. [3] Yes - sorry - I'm german ;-) |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Tuesday, October 18, 2005 1:56 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |I think it is better to describe a domain as a policy and |administration boundary (and a replication boundary), rather |than a weak security boundary. It is more precise, and IMO, |given the automatic domain trusts in a forest, there is not |much of a security boundary between domains. | |And given the ease with which malware is distributed (through |email and web pages for instance), the distinction between |"criminal" and "unintentional" is thin, if not non-existent. |People with criminal intent subvert administrative machines |and accounts all the time. So even if you think your domain |admin threats are all in the non-malicious category (not a |smart way to think in any case), once the domain admin is |exposed to some malware script, they've effectively taken on |the criminal intent. | |-gil | |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, October 17, 2005 3:14 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | ||So why don't you agree with the "general - forest is the security ||boundary - statement"? | |Cause IMHO the domain is a security boundary against |accidential security issues, the forest against malicious/criminal. | |Companies usually trust their admins of different domains but |might want to protect them against accidential mistakes or |gaining rights easily. A different domain would be sufficient |then. However if you want to protect yourself against admins |with criminal energy (and I consider manipulating SID-History |on purpose as criminal energy) the forest is the security boundary. | |So I agree a plain vanilla statement "the domain is the |security boundary" |is wrong, however I don't like the same plain vanilla |statement of the forest - should be more clearly pointed out |if we are talking about criminal intentions or accidential |intentions (which includes let's try quickly if we are able to |... - does not include hacking). | |Ulf | ||-----Original Message----- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, ||Jorge de ||Sent: Monday, October 17, 2005 11:59 PM ||To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Global Catalog || ||Well, I call it that way because a user can authenticate with |only DCs ||from its domain available (assuming the requirement for a GC is ||disabled) but cannot authenticate without a DC from its domain while ||having a GC available. You are correct that any GC in the |forest may be ||used if the GC requirement is enabled (by default) or even use the ||crappy "universal group caching feature". So you need a DC from your ||domain to authenticate and that is why a domain is called the ||authentication boundary (at least for me ;-) ) || ||So why don't you agree with the "general - forest is the security ||boundary - statement"? ||Jorge || ||________________________________ || ||From: [EMAIL PROTECTED] on behalf of Ulf B. ||Simon-Weidner ||Sent: Mon 10/17/2005 11:24 PM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Global Catalog || || || ||Hmm - I wouldn't 100% call the domain the authentication "boundary". || ||Authentication in a W2k+ Network without any mods not to rely |on the GC ||is done - as you said - via DC of the same domain the account resides ||plus any GC of the forest - not necessarily that a GC which |resides in ||the same domain is available but the logon will work. || ||Ulf "I also don't agree with the general 'Forest is the security ||boundary'-statement" B. Simon-Weidner || |||-----Original Message----- |||From: [EMAIL PROTECTED] |||[mailto:[EMAIL PROTECTED] On Behalf Of ||Almeida Pinto, |||Jorge de |||Sent: Monday, October 17, 2005 6:47 PM |||To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org |||Subject: RE: [ActiveDir] Global Catalog ||| |||Yes you are correct. The answer is No. A domain within a ||forest is the |||authentication boundary. So when all DCs of domain "other.biz" are |||unavailable the users from "other.biz" |||will not be able to log on as there is no DC available to ||authenticate |||the user at logon and create the access token. |||During logon a GC is contacted to check if universal group ||memberships |||exist for the user account logging on. ||| |||Jorge ||| |||________________________________ ||| |||From: [EMAIL PROTECTED] on behalf of Pete |||Sent: Mon 10/17/2005 5:57 PM |||To: ActiveDir@mail.activedir.org |||Subject: [ActiveDir] Global Catalog ||| ||| ||| |||Hi ||| |||Just a quick and easy question to profs: ||| |||Can AD domain controller of one domain (one.com) with Global Catalog |||function enabled somehow process logon request of user from |different |||domain (other.biz), in case when all domain controllers for ||that other |||domain (other.biz) are not reachable? ||| |||I believe - no. |||Am I right? ||| |||Thanks, ||| |||Pete ||| ||| |||-- |||Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/ |||List info : http://www.activedir.org/List.aspx |||List FAQ : http://www.activedir.org/ListFAQ.aspx |||List archive: |||http://www.mail-archive.com/activedir%40mail.activedir.org/ ||| ||| ||| ||| |||This e-mail and any attachment is for authorised use by the intended |||recipient(s) only. It may contain proprietary material, confidential |||information and/or be subject to legal privilege. It should not be |||copied, disclosed to, retained or used by, any other party. ||If you are |||not an intended recipient then please promptly delete this |e-mail and |||any attachment and all copies and inform the sender. Thank you. |||List info : http://www.activedir.org/List.aspx |||List FAQ : http://www.activedir.org/ListFAQ.aspx |||List archive: |||http://www.mail-archive.com/activedir%40mail.activedir.org/ ||| || || ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || || ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
