Even knowing the skeleton process for it, its not an easy exploit, and certainly not something that a script kiddie is going to pull off - it takes more knowledge than that to perform.
Still, it is an additional layer of security, one which IMO is still a benefit to all but the smallest shops. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 19, 2003 9:58 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Empty root domain benefits? > > > The point about the domain security issue is that, while it > would be very difficult to exploit the first time, it would > be much easier for others to do subsequently were the details > to be made public. > > Tony > ---------- Original Message ---------------------------------- > From: Roger Seielstad <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Wed, 19 Feb 2003 09:34:37 -0500 > > I'd have to disagree on two of your four points. > > -Enhanced Security: it is indeed more secure to keep the schema and > enterprise admins group in a different domain. The > cross-domain security > hole is relatively difficult to exploit, and does require > physical (or at > least interactive) access to a global catalog server. > > -Longer names: There is no requirement for multiple domain > forests to exist > in contiguous namespace. In fact, there is no need for them > to be related > namespaces at all. In fact, it is possible to set the root > domain to be > root.domain.com and have the production domain named > domain.com. The only > requisite here is that you have a sufficient knowledge of DNS > such that you > can manage the DNS namespace. > > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 18, 2003 9:15 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Empty root domain benefits? > > > > > > Hi Cliff, > > > > There are two pros that I am aware of... > > > > 1. In the case of radical naming hierarchy surgery, e.g., > > acquisition of > > another company, it provides a convenient place to merge in > > the new domains. > > > > 2. "Enhanced security" for the Enterprise Admins and Schema > > Admins groups is > > often claimed, but in practice an empty root buys you little > > with respect to > > security. > > > > Cons: > > > > 1. Its not a single domain forest, which is the best of all > > possible worlds > > when you can do it. > > > > 2. It makes names longer than the need to; a minor annoyance. > > > > Unless you have some overriding reason for multiple domains > > (multiple sites > > and slow WAN links can be an issue), I would stick with a > > single domain > > forest. It makes life much simpler. > > > > -gil > > > > > > -----Original Message----- > > From: Clifford Airhart [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 18, 2003 6:01 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Empty root domain benefits? > > > > > > Hello Everyone, > > > > The simplest domain model is the Single Forest / Single > > Domain. I > > was thinking of using this model with an "empty" root domain? > > Does anyone > > have any experience with "empty" root domain? Is it really > > beneficial? We > > are only a small company with a few hundred users and have 4 > > domains in a > > multimaster NT domain model. > > > > What are the pros and cons? > > > > Thanks, > > > > Cliff Airhart > > Answer Financial Inc. > > Senior Systems Administrator - Server Support / eBusiness > > [EMAIL PROTECTED] 818.644.4225 We answer to you. > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
