Hi Roger, Tony Its all an issue of how high can you raise the bar... Having an empty root raises it above the heads of script kiddies, which I agree is better than nothing.
The question then is from where do you perceive the greater threat? Most IT attacks are engineered from people in the IT organization, not their high-school aged script-kiddie children :-). In most organizations, particularly small ones, physical access control is weak, and anyone in the IT organization can get access to a GC. All that's needed then is someone to post an attack somewhere on a newsgroup, and, well, you can see where it ends up. That's why I say that the empty root doesn't buy you much. You are of course correct about the name length issue. But managing disjoint namespaces just adds to administative complexity, and for a small organization, IMHO, the costs don't justify the benefits. So is the empty root worth the additional administrative overhead? YMMV, but I would suggest that a smaller organization would be better off with a single domain and stronger physical access control on the DCs. -gil Gil Kirkpatrick CTO, NetPro Author of "Active Directory Programming" from MacMillann The next Directory Experts Conference is April 28. See http://www.netpro.com/welcome/decadus. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 19, 2003 8:55 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Empty root domain benefits? Even knowing the skeleton process for it, its not an easy exploit, and certainly not something that a script kiddie is going to pull off - it takes more knowledge than that to perform. Still, it is an additional layer of security, one which IMO is still a benefit to all but the smallest shops. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Inovis - Formerly Harbinger and Extricity Atlanta, GA > -----Original Message----- > From: Tony Murray [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 19, 2003 9:58 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Empty root domain benefits? > > > The point about the domain security issue is that, while it > would be very difficult to exploit the first time, it would > be much easier for others to do subsequently were the details > to be made public. > > Tony > ---------- Original Message ---------------------------------- > From: Roger Seielstad <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Wed, 19 Feb 2003 09:34:37 -0500 > > I'd have to disagree on two of your four points. > > -Enhanced Security: it is indeed more secure to keep the schema and > enterprise admins group in a different domain. The cross-domain > security hole is relatively difficult to exploit, and does require > physical (or at > least interactive) access to a global catalog server. > > -Longer names: There is no requirement for multiple domain > forests to exist > in contiguous namespace. In fact, there is no need for them > to be related > namespaces at all. In fact, it is possible to set the root > domain to be > root.domain.com and have the production domain named > domain.com. The only > requisite here is that you have a sufficient knowledge of DNS > such that you > can manage the DNS namespace. > > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Inovis - Formerly Harbinger and Extricity > Atlanta, GA > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 18, 2003 9:15 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Empty root domain benefits? > > > > > > Hi Cliff, > > > > There are two pros that I am aware of... > > > > 1. In the case of radical naming hierarchy surgery, e.g., > > acquisition of > > another company, it provides a convenient place to merge in > > the new domains. > > > > 2. "Enhanced security" for the Enterprise Admins and Schema > > Admins groups is > > often claimed, but in practice an empty root buys you little > > with respect to > > security. > > > > Cons: > > > > 1. Its not a single domain forest, which is the best of all > > possible worlds > > when you can do it. > > > > 2. It makes names longer than the need to; a minor annoyance. > > > > Unless you have some overriding reason for multiple domains > > (multiple sites > > and slow WAN links can be an issue), I would stick with a > > single domain > > forest. It makes life much simpler. > > > > -gil > > > > > > -----Original Message----- > > From: Clifford Airhart [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, February 18, 2003 6:01 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Empty root domain benefits? > > > > > > Hello Everyone, > > > > The simplest domain model is the Single Forest / Single > > Domain. I > > was thinking of using this model with an "empty" root domain? > > Does anyone > > have any experience with "empty" root domain? Is it really > > beneficial? We > > are only a small company with a few hundred users and have 4 > > domains in a > > multimaster NT domain model. > > > > What are the pros and cons? > > > > Thanks, > > > > Cliff Airhart > > Answer Financial Inc. > > Senior Systems Administrator - Server Support / eBusiness > > [EMAIL PROTECTED] 818.644.4225 We answer to you. > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
