I agree that you should properly review the situation before deploying anything.
I disagree on the comments on the domain security boundary stuff. Like it or not, the forest IS the security boundary. There isn't any so-so security boundary at the domain level. Account Policy and sort of replication are the boundaries I see. While you personally may trust one set of admins to admin one domain in a forest but not the others it isn't truly protecting anything. You are simply engaging in wishful thinking that any accidents that occur will be limited in scope and impact to the one single domain. I consider that dangerous thinking considering the criticality of the Windows forest in the overall security of a Windows network. It is my very firm opinion that there should be one administrative group all within the same management entity (none of this dotted line or multiple direct supervisor stuff) that manages an entire forest and all domains in that forest. Breaking up the admins by domain is again at best wishful thinking that that is going to protect the overall forest. You could live safely in that way for years or you could get decimated next week when some bright person releases a bad bad program that takes advantage of people having too many permissions in the directory. You have no clue because you are gambling and you never know when snake eyes will come up, seriously. The better your overall policy on how admin accounts are handled the safer you can be but if you have different admin groups the chances your policy will be the same or at least interpreted and handled the same across all groups is greatly decreased especially in larger orgs where it makes the most sense to have multiple domains. You absolutely can not divy up the risk into malicious and not-malicious. If there is someone with intent to do something bad, they shouldn't be an admin no matter what, not in any domain. Whoemever is giving out keys has the responsibility to assure that the people they give the keys to have the best interests of the company at heart and monitors that to assure that it is maintained. That means you simply have risk. You mitigate the risk by having the absolute least number of people possible having any access to modify any DCs. You then further mitigate that risk by those people having different IDs for normal user stuff (email, office, file sharing), Domain Admin Access (for each domain), and Enterprise Admin Access and no synced passwords between any of the accounts. As you see I have put containers around the risk in a similar way that you propose for using different admins for different domains but go further and reduce the total number of people with any access and make them responsible for everything. That helps in the case of some accidents that are scoped to a domain or poorly written exploits. It is layers. I am all for believing in that people are generally good, but I don't trust security to it. Considering the criticality of forest security in a Windows corporate environment, you have to be extremely careful with what you do and there should be no question on who owns the whole thing and who can make decisions impacting all of it. Splitting up the admin of various domains complicates things to the Nth degree. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, October 18, 2005 2:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Global Catalog Hi Gil, (btw - was nice meeting you finally in person) You're right, that might be a better wording. However I didn't mean that I do not agree that the forest is the security boundary, however I do not like people using that term without being more specific. This will lead customers who are not enough into details to deploy multiple forests in scenarious where multiple domains (if even that) would have been sufficient. Keeping viruses, malware, and the regular "I'm admin - so let's surf the web" aside. Companies who might trust their admins but have to many users to trust each of them might deploy multiple forests b/c they are afraid that users might try to (hack/)try to get into other domains. However case like this it _might_ be overrated to deploy different forest, cause it's way harder for a regular user to get into another domain (and to valuable data there) than it is for a admin, the scenario is more difficult to administer (which might lead to loosened security and/or more admins you'll have to trust) and the phyiscal security might not be in place to justify such a scenario (the users might still hop around in the same building without distinguished building security[1] or network boundaries[2]). I do not think that all domain admin threads are in the non-malicious category, and I don't think that forests shouldn't be mentioned as security boundary, however I think if you do mention that you also need to clarify against which threads you're deploying additional forests and what also needs to be applied in the company if you need that level of security for certain parts. In many cases a proper investment into security is better placed by drilling security into the heads of the admins (you're surfing the web as admin? Put your fingers on the table! Slap! ;-) [3] ) than deploying multiple forests without taking additional measures and wrongly believe it's buying you 100% security. Ulf [1] meaning that people having access to forest A only shouldn't have physical access to any machines in the office running in forest B and vice versa [2] different wires, VLANs, or a generic network with people VPNing into their infrastructure. I don't trust our friends aka "the unintentional fighter against security" aka devs. There are somewhere passwords on the wire in almost every network, and this thread is dependant on your number of in-house developed apps IMHO. [3] Yes - sorry - I'm german ;-) |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Tuesday, October 18, 2005 1:56 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |I think it is better to describe a domain as a policy and |administration boundary (and a replication boundary), rather than a |weak security boundary. It is more precise, and IMO, given the |automatic domain trusts in a forest, there is not much of a security |boundary between domains. | |And given the ease with which malware is distributed (through email and |web pages for instance), the distinction between "criminal" and |"unintentional" is thin, if not non-existent. |People with criminal intent subvert administrative machines and |accounts all the time. So even if you think your domain admin threats |are all in the non-malicious category (not a smart way to think in any |case), once the domain admin is exposed to some malware script, they've |effectively taken on the criminal intent. | |-gil | |-----Original Message----- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, October 17, 2005 3:14 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | ||So why don't you agree with the "general - forest is the security ||boundary - statement"? | |Cause IMHO the domain is a security boundary against accidential |security issues, the forest against malicious/criminal. | |Companies usually trust their admins of different domains but might |want to protect them against accidential mistakes or gaining rights |easily. A different domain would be sufficient then. However if you |want to protect yourself against admins with criminal energy (and I |consider manipulating SID-History on purpose as criminal energy) the |forest is the security boundary. | |So I agree a plain vanilla statement "the domain is the security |boundary" |is wrong, however I don't like the same plain vanilla statement of the |forest - should be more clearly pointed out if we are talking about |criminal intentions or accidential intentions (which includes let's try |quickly if we are able to ... - does not include hacking). | |Ulf | ||-----Original Message----- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, ||Jorge de ||Sent: Monday, October 17, 2005 11:59 PM ||To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Global Catalog || ||Well, I call it that way because a user can authenticate with |only DCs ||from its domain available (assuming the requirement for a GC is ||disabled) but cannot authenticate without a DC from its domain while ||having a GC available. You are correct that any GC in the |forest may be ||used if the GC requirement is enabled (by default) or even use the ||crappy "universal group caching feature". So you need a DC from your ||domain to authenticate and that is why a domain is called the ||authentication boundary (at least for me ;-) ) || ||So why don't you agree with the "general - forest is the security ||boundary - statement"? ||Jorge || ||________________________________ || ||From: [EMAIL PROTECTED] on behalf of Ulf B. ||Simon-Weidner ||Sent: Mon 10/17/2005 11:24 PM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Global Catalog || || || ||Hmm - I wouldn't 100% call the domain the authentication "boundary". || ||Authentication in a W2k+ Network without any mods not to rely |on the GC ||is done - as you said - via DC of the same domain the account resides ||plus any GC of the forest - not necessarily that a GC which |resides in ||the same domain is available but the logon will work. || ||Ulf "I also don't agree with the general 'Forest is the security ||boundary'-statement" B. Simon-Weidner || |||-----Original Message----- |||From: [EMAIL PROTECTED] |||[mailto:[EMAIL PROTECTED] On Behalf Of ||Almeida Pinto, |||Jorge de |||Sent: Monday, October 17, 2005 6:47 PM |||To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org |||Subject: RE: [ActiveDir] Global Catalog ||| |||Yes you are correct. The answer is No. A domain within a ||forest is the |||authentication boundary. So when all DCs of domain "other.biz" are |||unavailable the users from "other.biz" |||will not be able to log on as there is no DC available to ||authenticate |||the user at logon and create the access token. |||During logon a GC is contacted to check if universal group ||memberships |||exist for the user account logging on. ||| |||Jorge ||| |||________________________________ ||| |||From: [EMAIL PROTECTED] on behalf of Pete |||Sent: Mon 10/17/2005 5:57 PM |||To: ActiveDir@mail.activedir.org |||Subject: [ActiveDir] Global Catalog ||| ||| ||| |||Hi ||| |||Just a quick and easy question to profs: ||| |||Can AD domain controller of one domain (one.com) with Global Catalog |||function enabled somehow process logon request of user from |different |||domain (other.biz), in case when all domain controllers for ||that other |||domain (other.biz) are not reachable? ||| |||I believe - no. |||Am I right? ||| |||Thanks, ||| |||Pete ||| ||| |||-- |||Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/ |||List info : http://www.activedir.org/List.aspx |||List FAQ : http://www.activedir.org/ListFAQ.aspx |||List archive: |||http://www.mail-archive.com/activedir%40mail.activedir.org/ ||| ||| ||| ||| |||This e-mail and any attachment is for authorised use by the intended |||recipient(s) only. It may contain proprietary material, confidential |||information and/or be subject to legal privilege. It should not be |||copied, disclosed to, retained or used by, any other party. ||If you are |||not an intended recipient then please promptly delete this |e-mail and |||any attachment and all copies and inform the sender. Thank you. |||List info : http://www.activedir.org/List.aspx |||List FAQ : http://www.activedir.org/ListFAQ.aspx |||List archive: |||http://www.mail-archive.com/activedir%40mail.activedir.org/ ||| || || ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || || ||List info : http://www.activedir.org/List.aspx ||List FAQ : http://www.activedir.org/ListFAQ.aspx ||List archive: ||http://www.mail-archive.com/activedir%40mail.activedir.org/ || | | |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ |List info : http://www.activedir.org/List.aspx |List FAQ : http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/