Re: Windows Domain Controllers: Risks involved

[Marmina Abdel Malek <marmina () AUCEGYPT EDU>]

 Brian, you seems to be a super expert. So tell me, do you have any
recommendations to proactively protect the sensitive information stored on
these machines such as budgets, payroll, e-mails, etc. I'm interested in a
solution to protect users data from being accessed by domain admins, rather
than a solution which can detect malicious access. Should we use encrypted
folders/drives? if yes, what if a user forgot his password, how can we
recover his/her files?
Marmina



On Fri, Mar 13, 2009 at 10:41 PM, Brian Desmond <
brian.desmond () morantechnology com> wrote:

> Sure so the basic idea was that you would have this empty root and you
> would
> isolate a few key security groups e.g. Schema Admins and Enterprise Admins.
> You'd have a couple trusted people or maybe some sort of system where two
> trusted people had half the password or something to get access to accounts
> in these groups.
>
> In turn you'd end up with X number of child domains with say X*3 domain
> admins - all different people. The theory then was that domain admins in
> Dom1 were only able to control things in Dom1, Dom2 Domain Admins could
> only
> control Dom2, and so forth. Above all the assumption was that neither Dom1
> admins or Dom2 admins could do anything with your root domain, RootDom.
>
> In reality, as a domain admin in a child domain you can get at security
> groups in the root domain or another child domain. It's not particuarly
> hard
> at all for Dom1 domain admins to make themselves members of the enterprise
> admins group or similar if they want.
>
> So the net result today is that if you want true security isolation with AD
> you need separate forests. The only thing an empty root really gives you
> now
> is an "anchor" name so to speak in a multidomain namespace.
>
> Thanks,
> Brian Desmond
> brian.desmond () morantechnology com
>
> c - 312.731.3132
>
> Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
> Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Testart
> Sent: Friday, March 13, 2009 3:33 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Windows Domain Controllers: Risks involved
>
> Brian Desmond wrote:
> > The model of having the empty root is a Windows 2000 era
> > thing that was largely from misguided assumptions.
>
> Could you please elaborate on what these misguided assumptions might be?
>
> jt
>
> --
> Jason A. Testart, BMath               | Voice: +1-519-888-4567 x38393
> Manager, IT Security                  | Fax: +1-519-884-4398
> Information Systems and Technology    | http://ist.uwaterloo.ca/security
> University of Waterloo, Waterloo, Ontario  N2L 3G1 CANADA