Educause Security Discussion mailing list archives
Re: Windows Domain Controllers: Risks involved
From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Fri, 13 Mar 2009 15:41:15 -0500
Sure so the basic idea was that you would have this empty root and you would isolate a few key security groups e.g. Schema Admins and Enterprise Admins. You'd have a couple trusted people or maybe some sort of system where two trusted people had half the password or something to get access to accounts in these groups. In turn you'd end up with X number of child domains with say X*3 domain admins - all different people. The theory then was that domain admins in Dom1 were only able to control things in Dom1, Dom2 Domain Admins could only control Dom2, and so forth. Above all the assumption was that neither Dom1 admins or Dom2 admins could do anything with your root domain, RootDom. In reality, as a domain admin in a child domain you can get at security groups in the root domain or another child domain. It's not particuarly hard at all for Dom1 domain admins to make themselves members of the enterprise admins group or similar if they want. So the net result today is that if you want true security isolation with AD you need separate forests. The only thing an empty root really gives you now is an "anchor" name so to speak in a multidomain namespace. Thanks, Brian Desmond brian.desmond () morantechnology com c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Testart Sent: Friday, March 13, 2009 3:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Windows Domain Controllers: Risks involved Brian Desmond wrote:
The model of having the empty root is a Windows 2000 era thing that was largely from misguided assumptions.
Could you please elaborate on what these misguided assumptions might be? jt -- Jason A. Testart, BMath | Voice: +1-519-888-4567 x38393 Manager, IT Security | Fax: +1-519-884-4398 Information Systems and Technology | http://ist.uwaterloo.ca/security University of Waterloo, Waterloo, Ontario N2L 3G1 CANADA
Current thread:
- Re: Windows Domain Controllers: Risks involved, (continued)
- Re: Windows Domain Controllers: Risks involved F.M. Taylor (Mar 13)
- Re: Windows Domain Controllers: Risks involved John Kaftan (Mar 13)
- Re: Windows Domain Controllers: Risks involved Patrick P Murphy (Mar 13)
- Re: Windows Domain Controllers: Risks involved Miller, Don C. (Mar 13)
- Re: Windows Domain Controllers: Risks involved Miller, Don C. (Mar 13)
- Re: Windows Domain Controllers: Risks involved Chris Green (Mar 13)
- Re: Windows Domain Controllers: Risks involved Anand S Malwade (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Jason Testart (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Marmina Abdel Malek (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Ryan S. Johnston (Mar 16)
- Re: Windows Domain Controllers: Risks involved David Gillett (Mar 17)