RE: [ActiveDir] Securing that DC ( the physical question)

[Steve Evans]

Al,

 

The way I read it is when Windows 2000 came out they said there's virtually no reason to have two forests.  Now they say there are some decent reasons to have multiple forests.  I don't think they're recommending multiple forests as a standard good thing, but they admit that there are situtations where they do make sense (eg web farms)

 

Susan,

 

I don't think passwords are considered company secrets.  They're just the means to get at the company secrets.  Just like the file server, or the database server isn't the company secrets, but the data inside of those file shares are databases.

 

Steve Evans

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, March 13, 2006 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Securing that DC ( the physical question)

If you haven't yet read the comments on the page, you might be interested.  In looking back, it looks like a cop-out on my part for being lazy and signing it as "-ajm" but I'll do better next time.

 

Something to keep in mind with this suggestion though:

Sometimes multiple forests makes sense.  When it does, don't be afraid to do so. Sometimes a single forest with mulitple domains makes sense.  When it does, don't be afraid to do so.  Sometimes a single forest with a single domain makes sense....you get the idea.  The key is to know the trade-offs and to help match them to the business requirements.  That implies that you can get good solid business requirements of course and that you realize that like other plumbing types, it's difficult and costly (but not impossible) to change the plumbing later. Choose carefully for the right reasons and you have nothing to be ashamed about later, right?

 

The biggest problem I see with the blog is that it comes across as if Microsoft were wrong all these years about the multiple forest vs. the single forest vs. going from the NT model to the AD model etc.  He mentions "..Surely you've learned that Microsoft long ago stopped recommending single forest/single domain AD designs; yes, we were wrong about that." Did they? Hmm....  Might be interesting to see that in writing and to see it consistently communicated across the websites etc. I haven't seen that so far nor do I follow that recommendation.  It changes way too much for me to follow it that closely other than to say, "Microsoft has a blanket recommendation that you deploy like this <insert recommendation of the moment> but because of your unique requirements I recommend we deploy like this: <insert recommendation> and get a supportability review prior to testing, implementation, etc."  That's common because the software was written for a finite number of scenarios but the places it gets deployed have a seemingly infinite number of ways of doing business that require some flexibility.

 

Susan, while reading the Art of War you may want to consider a sister book, Musashi's Book of Five Rings.

 

"When you have attained the Way of strategy there will be not one thing that you cannot understand" is one of his quotes as is his idea that (paraphrase) if you can successfully do something for 1 you can do it for 10. If you can do it for 10, you can do it for 100.  The list goes on :)  Relation: If you can make one forest secure, you can make more than 1 secure. If you can make one DC secure, you can make more than one secure.

 

My take? Go with the business processes and understand your technical issues and risks.  You'll be changing your architecture from time to time anyway and you'll always have risks that you'll need to mitigate. I can think of ways to mitigate DC theft.  I can think of ways that it wouldn't matter if one forest was compromised with physical theft.  There are tradeoffs in the amount of effort and the return on effort, so knowing the issues and how to mitigate or whom to ask to help figure out how to mitigate is always helpful. 

 

Would be nice if the entire product line/architecture would help support some of these practices in native ways, but then, what would the consultants and third party ecosystem do? :)

 

My ramblings anyway.

Al

 

On 3/13/06, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote:

I guess you agreed or at least sympathised with my views then ? :)

As to the war - England and France have been at war so many times in the
last 1000 years, you could be referring to one of a dozen historic
moments :)

As to your analogy - I rather see the situation of multiple forests are
an increase in attack surface (for the attacker) rather than as a
decrease in defensive walls, personally :)

neil


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 13 March 2006 08:51
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Securing that DC ( the physical question)

The statement...  "So protect those domain controllers! No, they don't
store your company secrets; yes, they're pretty much just plumbing in
your network"

wanna make a bet?  ...certainly not exactly in SBSland ... we kinda have

the kitchen sink up there.   And to me... those passwords are a pretty
important part of my company's secrets.  And whether you are SBS where
we have a schrub or the Sierra National Forest of Domains...isn't that
still important?

At the same time...there's times as much as I'm thinking I'm insane for
all on one box, I know that I sure pay attention to that one box...
There's something to be said about having less things to look at.

<insane comments feel free to disregard>

There was either a History channel or a PBS show on a famous battle back
ages and ages ago (sorry..forget the King but I think it was England and
France) and when the army stayed together in a clump and attacked as a
clump the smaller army was actually holding their own and making an
impact.  When they army spread out and broke rank and started to run
after the attackers and thus opened up a entry point.... anyway you get
my drift.


The Art of War says:

If he prepares to defend many places, then the forces will be few in
number.

Therefore, if he prepares to defend the front, the back will be weak.

If he prepares to defend the back, the front will be weak.

If he prepares to defend the left, the right will be weak.

If he prepares to defend the right, the left will be weak.

If he prepares to defend everywhere, everywhere will be weak.


There's an implied thought to that blog...and maybe it's just me in
reading that undercurrent in seeing what has happened in my world and in
my sister's larger implementations.  Consultants cannot know your firm
like you do.  And they don't always get the right people at the table to
talk to.  The bosses listen to the consultants and sales folks when they
should be listening to the people who work at the firm and getting their
input.


[EMAIL PROTECTED] wrote:
> The suggestion that we all deploy multiple forests as a way of
> lessening the risk is a bit of a 'cop out' :)
>
> That sounds as though he's suggesting the only way to secure the
> environment is to spread it more thinly across more and more forests!
> The more forests I deploy, the more cost I incur to the business. The
> more costs I incur to the business, the more awkward questions I
> receive asking why we don't consider other offerings in the NOS space
> :)
>
> Perhaps I'm too cynical on Monday mornings :)
>
>
> neil
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]] On Behalf Of Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> Sent: 11 March 2006 07:39
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Securing that DC ( the physical question)
>
> http://blogs.technet.com/steriley/archive/2006/03/10/421782.aspx
>
> (The Seattle Riley clan)
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
> PLEASE READ: The information contained in this email is confidential
> and intended for the named recipient(s) only. If you are not an
> intended recipient of this email please notify the sender immediately
> and delete your copy from your system. You must not copy, distribute
> or take any further action in reliance on it. Email is not a secure
> method of communication and Nomura International plc ('NIplc') will
> not, to the extent permitted by law, accept responsibility or
> liability for (a) the accuracy or completeness of, or (b) the presence

> of any virus, worm or similar malicious or disabling code in, this
> message or any attachment(s) to it. If verification of this email is
> sought then please request a hard copy. Unless otherwise stated this
> email: (1) is not, and should not be treated or relied upon as,
> investment research; (2) contains views or opinions that are solely
> those of the author and do not necessarily represent those of NIplc;
> (3) is intended for informational purposes only and is not a
> recommendation, solicitation or offer to buy or sell securities or
> related financial instruments.  NIplc does not provide investment
> services to private customers.  Authorised and regulated by the
> Financial Services Authority.  Registered in England no. 1550505 VAT
No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand, London,
EC1A 4NP.  A member of the Nomura group of companies.
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/