Re: Windows Domain Controllers: Risks involved

[Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>]

There's absolutely no benefit to doing this. In AD your security boundary is
the forest not the domain, so if you wanted to do this you'd need two
separate forests. Then you'd probably need a third forest for Exchange.
Management overhead at this point is a nightmare and you've gained nothing
in my opinion. The model of having the empty root is a Windows 2000 era
thing that was largely from misguided assumptions. At this point there's not
much in the way of reasons to be looking at that model anymore.

Exchange works fine if you have it in its' own forest although you'll need a
toolset in place to manage sync of data between your authentication
forest(s) and your Exchange resource forest. Exchange works fine
fundamentally in a multidomain forest however it's not nearly as easy to
manage and there are some quirks.

I have a chapter (10) in my book (www.briandesmond.com/ad4/) about this
process which walks you through a decision workflow for designing a domain
hierarchy.

Thanks,
Brian Desmond
brian () briandesmond com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Kaftan
Sent: Friday, March 13, 2009 9:05 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Windows Domain Controllers: Risks involved

When creating an Active Directory domain I am curious if you create a
single domain for both Students and Fac\Staff or if you create a Tree
like structure with a parent domain and the two child domains or
something totally different like separate non-linked domains.

What are the implications if you decide to implement Exchange down the road?


F.M. Taylor wrote:
> On Friday 13 March 2009, Marmina Abdel Malek formed electrons in this
pattern:
> > Dear All,        I'm assessing the idea of implementing a campus wide
> > domain controller to include faculty and staff computers, as well as
> > student labs computers.
> >
> > I understand all the advantages of centralized management of all the
campus
> > computers, but I have some concerns that I would like to know how did you
> > react to them:
> >
> > - Domain admins can access the files of any computer in the domain. How
do
> > you ensure the confidentiality and privacy of users and data?
>
> Most Admins don't have the time or inclination to to go through the users
> files, as when they first discovered they could do this they also
discovered
> that the users are boring.  Also there are ethical (and in some cases
legal)
> standards that any admin worth getting paid should uphold.
> On the other hand the users should be made aware that all of the computers
are
> in fact the property of the university and that they have no expectation
of
> privacy.  Truly sensitive data should be encrypted.
>
>
> > - In you implementations, do you include the computers of the top
> > management?
>
> Yes, but it is optional.  Their original machines are supplied that way,
and
> most of them leave them in that configuration.  They have neither the time
or
> inclination (or technical acumen) to admin their own workstations.
>
>
> > - Do you give faculty and staff, high level access to install
applications,
> > or installation requests have be channeled to the domain admins?
>
> No, requests for new applications are submitted to the domain admins.
>
>
> > - Is there any tips, recommendations, or lessons learned on implementing
a
> > campus wide domain controller?
>
> Our Unix administrators take the machines and immediately wipe them and
> install a Unix desktop.  They are the only group allowed to do this.
> Attempting to get a Unix admin to use a domain controlled windows
workstation
> is like teaching a pig to dance, its a waste of your time and annoys the
pig.
> > Best Regards,
> > Marmina Abdel-Malek
> > IT Security Officer
> > The American University in Cairo
> > Tel : +202-2615-3561
> > Fax: +202-2795-6746
> > Email: marmina () aucegypt edu
> > web: www.aucegypt.edu
>
> Hope that helps.