Is 'security' provided by AD trusts worthless ?

[magoo]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Imagine I setup an one way trust between two forests, where "Mystudent"
trusts "Mystaff" forest. Then I manage to separate resources (file servers,
printers) for both staff and students.

How such one way trust and forest/domain separation could give me additional
security ?
Imagine a "student" logged on to the student domain attempts to query and
brake accounts out of "mystaff" domain:

I have an AD fellow here that tells me that such security provided by
isolating the domain is very minimal and worthless.

Please confirm.

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

IMO.

The big wins for separate internal production forests are

1. Administrative separation as Tomasz layed out. As he indicated, you can't
protect a forest from a rogue admin in any given domain. If you have the same
people managing all domains in both forests, this is moot.

2. Exchange separation. This is both for functionality as well as security.
Exchange Dev kind of screwed the pooch with their security model and if you want
different Exchange and AD Admins it can be difficult to implement in a single
forest architecture. Also if you have a multidomain forest it is often very
smart to pull Exchange into a separate single domain forest for functionality
reasons. Basically Exchange has some serious issues in multidomain forests
unless you configure things in very special ways.

3. Easy breakup for divestiture.


A company will also break out separate forests for Test environments (especially
testing of AD applications or schema mods) and for internal/external resource
separation, i.e. DMZ/B2x utilization.


If you don't have one of the reasons above I would be hesistant to confuse the
architecture and that is exactly what multiple forests (or even multiple
domains) will do for you. It adds considerable management overhead. The
reasoning behind doing it should be good.


Something you can do is stuff all of the important needs to be hidden info into
AD/AM and just use AD for NOS operations. AD/AM can easily be locked down to the
point where students won't get much if anything with AD/AM still being on a
member server in the same domain/forest so you are able to use your domain as
the auth source.

AD can be locked down a little better now with the confidentiality bit that is
available in K3 SP1 but I would still recommend pushing the confidential data to
AD/AM before trying to hide it in AD.

joe






--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Magoo wrote:
> Imagine I setup an one way trust between two forests, where "Mystudent"
> trusts "Mystaff" forest. Then I manage to separate resources (file servers,
> printers) for both staff and students.
>
> How such one way trust and forest/domain separation could give me additional
> security ?
> Imagine a "student" logged on to the student domain attempts to query and
> brake accounts out of "mystaff" domain:
>
> I have an AD fellow here that tells me that such security provided by
> isolating the domain is very minimal and worthless.
>
> Please confirm.
>
>

 

[magoo]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks much Joe. No, in my organization domain admins will be the same for
students and staff. There is no need for domain administration separation in
the foreseeable future here. I will be looking into your ADAM suggestion
though, that looks interesting.
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:%23kKUuGQVFHA.616@TK2MSFTNGP12.phx.gbl...
> IMO.
>
> The big wins for separate internal production forests are
>
> 1. Administrative separation as Tomasz layed out. As he indicated, you
> can't protect a forest from a rogue admin in any given domain. If you have
> the same people managing all domains in both forests, this is moot.
>
> 2. Exchange separation. This is both for functionality as well as
> security. Exchange Dev kind of screwed the pooch with their security model
> and if you want different Exchange and AD Admins it can be difficult to
> implement in a single forest architecture. Also if you have a multidomain
> forest it is often very smart to pull Exchange into a separate single
> domain forest for functionality reasons. Basically Exchange has some
> serious issues in multidomain forests unless you configure things in very
> special ways.
>
> 3. Easy breakup for divestiture.
>
>
> A company will also break out separate forests for Test environments
> (especially testing of AD applications or schema mods) and for
> internal/external resource separation, i.e. DMZ/B2x utilization.
>
>
> If you don't have one of the reasons above I would be hesistant to confuse
> the architecture and that is exactly what multiple forests (or even
> multiple domains) will do for you. It adds considerable management
> overhead. The reasoning behind doing it should be good.
>
>
> Something you can do is stuff all of the important needs to be hidden info
> into AD/AM and just use AD for NOS operations. AD/AM can easily be locked
> down to the point where students won't get much if anything with AD/AM
> still being on a member server in the same domain/forest so you are able
> to use your domain as the auth source.
>
> AD can be locked down a little better now with the confidentiality bit
> that is available in K3 SP1 but I would still recommend pushing the
> confidential data to AD/AM before trying to hide it in AD.
>
> joe
>
>
>
>
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Magoo wrote:
>> Imagine I setup an one way trust between two forests, where "Mystudent"
>> trusts "Mystaff" forest. Then I manage to separate resources (file
>> servers,
>> printers) for both staff and students.
>>
>> How such one way trust and forest/domain separation could give me
>> additional
>> security ?
>> Imagine a "student" logged on to the student domain attempts to query and
>> brake accounts out of "mystaff" domain:
>>
>> I have an AD fellow here that tells me that such security provided by
>> isolating the domain is very minimal and worthless.
>>
>> Please confirm.
>>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Magoo wrote:
> Imagine I setup an one way trust between two forests, where "Mystudent"
> trusts "Mystaff" forest. Then I manage to separate resources (file servers,
> printers) for both staff and students.
>
> How such one way trust and forest/domain separation could give me additional
> security ?
> Imagine a "student" logged on to the student domain attempts to query and
> brake accounts out of "mystaff" domain:

This is not good example - If you will have a service which will be
avilable in internet, for example SMTP with authentication in domain,
any person in the world can try to query and break Your accounts
security by trying to guess the password.

The only way to protect against it is set some rules like password
policy and account policy.

Beside your situation with staff and students and talking about general
situation - when you have some resources in two separated divisions or
companies, and you have to share some resources between these divisions
it is better to built separated networks and then put some connection
between these organisation to share only specified resources then to put
both organisation on the same "wire" and then working on providing
some security in this environment.

Remeber that when you have two domain You also have domain admins in
both domains - in one forest You cann't be sure thath domain admin from
one domain will not get rights in other domain.

Using trusts you can separate administrators role - administrator from
forest A can be ordinary user in forest B and You can built one way
trust relationship, you can't do this in single forest with multiple domain.

> I have an AD fellow here that tells me that such security provided by
> isolating the domain is very minimal and worthless.

If You want to control access to resources in mystaff domain on the
trusts between forests You can take advantage of selective
authentication functionality, which lets You control accesss to the
resources in very strict manner:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx

These are few things which comes to my mind now - I will be glad to get
to know your friends arguments about this that forest doesn't provide
additional security in AD design.

It's late here (in my time zone) and myabe my thought wasn't clear
--
Tomasz Onyszko [MVP]
http://www.w2k.pl

 

[magoo]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In my case, politics or separation of domain administration is not an issue.
If I create a separate domain-forest for "students", the domain
administrator for both domains would be the same individual. That means a
separate domain-forest won't me help there.
My case is really protecting payroll, accounting, financial, student
database records against students since students don't need to access those
resources in the first place. As we already know, if a student can put
connect his laptop to the same subnets where staff is connected to, honestly
I can't see how a separate logical boundary such as an additional domain
would help. Correct if I am wrong, but this idea of separate forests-domains
will make sense only the day that I can also provide separate
subnets/networks to my student population. Otherwise it seems that the
hassle of setting up a logical forest boundary doesn't make a lot of sense
indeed.


"Tomasz Onyszko [MVP]" <T.Onyszko_nospam_@microsfot.com> wrote in message
news:%23Pqv5aOVFHA.4056@TK2MSFTNGP15.phx.gbl...
> Magoo wrote:
>> Imagine I setup an one way trust between two forests, where "Mystudent"
>> trusts "Mystaff" forest. Then I manage to separate resources (file
>> servers,
>> printers) for both staff and students.
>>
>> How such one way trust and forest/domain separation could give me
>> additional
>> security ?
>> Imagine a "student" logged on to the student domain attempts to query and
>> brake accounts out of "mystaff" domain:
>
> This is not good example - If you will have a service which will be
> avilable in internet, for example SMTP with authentication in domain, any
> person in the world can try to query and break Your accounts security by
> trying to guess the password.
>
> The only way to protect against it is set some rules like password policy
> and account policy.
>
> Beside your situation with staff and students and talking about general
> situation - when you have some resources in two separated divisions or
> companies, and you have to share some resources between these divisions it
> is better to built separated networks and then put some connection between
> these organisation to share only specified resources then to put both
> organisation on the same "wire" and then working on providing some
> security in this environment.
>
> Remeber that when you have two domain You also have domain admins in both
> domains - in one forest You cann't be sure thath domain admin from one
> domain will not get rights in other domain.
>
> Using trusts you can separate administrators role - administrator from
> forest A can be ordinary user in forest B and You can built one way trust
> relationship, you can't do this in single forest with multiple domain.
>
>> I have an AD fellow here that tells me that such security provided by
>> isolating the domain is very minimal and worthless.
>
> If You want to control access to resources in mystaff domain on the trusts
> between forests You can take advantage of selective authentication
> functionality, which lets You control accesss to the resources in very
> strict manner:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx
>
> These are few things which comes to my mind now - I will be glad to get to
> know your friends arguments about this that forest doesn't provide
> additional security in AD design.
>
> It's late here (in my time zone) and myabe my thought wasn't clear
> --
> Tomasz Onyszko [MVP]
> http://www.w2k.pl

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Magoo,

Maybe I am missing something here. But trusts simply afford us the
possibility of accessing objects ( resources ) in other domains. It is the
NTFS and Share permissions that control who can access what. Or am I
missing something?

If the problem is that you can not trust the Domain Admin(s) then this is
not a technical problem but an HR problem. I was a Domain Admin and an
Enterprise Admin where I used to work. I had access to
everything.....offers, negotiations for movie contracts, payroll and
everything. I never thought - not for a split second - about taking
advantage of this. And I am pretty sure that no one every suspected that I
might be sneaking around. If there are suspicions that the Admin is doing
this then this needs to be handled. But it is not a technical issue.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Magoo" <nospammagoo@hotmail.com> wrote in message
news:OD2jZvOVFHA.1200@TK2MSFTNGP14.phx.gbl...
> In my case, politics or separation of domain administration is not an
> issue. If I create a separate domain-forest for "students", the domain
> administrator for both domains would be the same individual. That means a
> separate domain-forest won't me help there.
> My case is really protecting payroll, accounting, financial, student
> database records against students since students don't need to access
> those resources in the first place. As we already know, if a student can
> put connect his laptop to the same subnets where staff is connected to,
> honestly I can't see how a separate logical boundary such as an additional
> domain would help. Correct if I am wrong, but this idea of separate
> forests-domains will make sense only the day that I can also provide
> separate subnets/networks to my student population. Otherwise it seems
> that the hassle of setting up a logical forest boundary doesn't make a lot
> of sense indeed.
>
>
> "Tomasz Onyszko [MVP]" <T.Onyszko_nospam_@microsfot.com> wrote in message
> news:%23Pqv5aOVFHA.4056@TK2MSFTNGP15.phx.gbl...
>> Magoo wrote:
>>> Imagine I setup an one way trust between two forests, where "Mystudent"
>>> trusts "Mystaff" forest. Then I manage to separate resources (file
>>> servers,
>>> printers) for both staff and students.
>>>
>>> How such one way trust and forest/domain separation could give me
>>> additional
>>> security ?
>>> Imagine a "student" logged on to the student domain attempts to query
>>> and
>>> brake accounts out of "mystaff" domain:
>>
>> This is not good example - If you will have a service which will be
>> avilable in internet, for example SMTP with authentication in domain, any
>> person in the world can try to query and break Your accounts security by
>> trying to guess the password.
>>
>> The only way to protect against it is set some rules like password policy
>> and account policy.
>>
>> Beside your situation with staff and students and talking about general
>> situation - when you have some resources in two separated divisions or
>> companies, and you have to share some resources between these divisions
>> it is better to built separated networks and then put some connection
>> between these organisation to share only specified resources then to put
>> both organisation on the same "wire" and then working on providing some
>> security in this environment.
>>
>> Remeber that when you have two domain You also have domain admins in both
>> domains - in one forest You cann't be sure thath domain admin from one
>> domain will not get rights in other domain.
>>
>> Using trusts you can separate administrators role - administrator from
>> forest A can be ordinary user in forest B and You can built one way trust
>> relationship, you can't do this in single forest with multiple domain.
>>
>>> I have an AD fellow here that tells me that such security provided by
>>> isolating the domain is very minimal and worthless.
>>
>> If You want to control access to resources in mystaff domain on the
>> trusts between forests You can take advantage of selective authentication
>> functionality, which lets You control accesss to the resources in very
>> strict manner:
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx
>>
>> These are few things which comes to my mind now - I will be glad to get
>> to know your friends arguments about this that forest doesn't provide
>> additional security in AD design.
>>
>> It's late here (in my time zone) and myabe my thought wasn't clear
>> --
>> Tomasz Onyszko [MVP]
>> http://www.w2k.pl
>
>