Transitive Trust

[Pete]

Archived from groups: microsoft.public.win2000.security (More info?)

Question:
If I add a child domain is it ok to remove one of the
trusts from the transitive trusts that are automatically
generated (so child domain trusts parent but not the other
way around) or will this be re-instated by W2000.

Reason:
Looking to add a domain into our name space but don't want
administrators of the new domain to have access to other
domains.

Taken from Microsoft Documentation:
Important
Previously published Active Directory documentation states
that a domain is a security boundary, but this
documentation does not provide specific details about the
level of autonomy and isolation that is possible among
domains in a forest. Although a domain is, in fact, a
security boundary with regard to the management of
security policies for Active Directory, it does not
provide complete isolation in the face of possible attacks
by service administrators

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Pete,

Microsoft changed its opinion on domain being security boundary due to some
possible exploits. Now the security boundary is the forest.

While transitive trust can provide easy access between domains (e.g. domain
A and B) user B will still need permissions on resources in domain A to
access e.g. shares (and the other way around).
So if you have a share in domain A that will allow domain users (this will
be A\Domain Users) full control, this will not allow user in domain B to
access this share. To allow users in domain B to access this share,
administrator or other user with appropriate permissions will have to add
B\Domain Users to this share and grant them necessary permissions...

If you allow default Windows 2000 permissions (everyone full control) that
will allow users from domain B to access resources in domain A...

Mike

"Pete" <anonymous@discussions.microsoft.com> wrote in message
news:1d2501c4ac4a$5f4ce9d0$a601280a@phx.gbl...
> Question:
> If I add a child domain is it ok to remove one of the
> trusts from the transitive trusts that are automatically
> generated (so child domain trusts parent but not the other
> way around) or will this be re-instated by W2000.
>
> Reason:
> Looking to add a domain into our name space but don't want
> administrators of the new domain to have access to other
> domains.
>
> Taken from Microsoft Documentation:
> Important
> Previously published Active Directory documentation states
> that a domain is a security boundary, but this
> documentation does not provide specific details about the
> level of autonomy and isolation that is possible among
> domains in a forest. Although a domain is, in fact, a
> security boundary with regard to the management of
> security policies for Active Directory, it does not
> provide complete isolation in the face of possible attacks
> by service administrators
>

 

[Pete]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the response.

The domain we are going to add will be managed by external
contractors, they will have admin rights on this domain.
As I understand it with Transitive trusts they would
automatically have admin rights on the parent domain, but
if I am able to remove the trust from child to parent
(preventing parent from trusting child) then this would
solve the problem. Although I would (I think) have to
remove trusts from the other child domain within the
forest.

If I did this would the trusts be automatically re-built
by W2000? or by W2003 when we upgrade?

Perhaps I'm better off creating a separate forest and
register another domain name? It would be nice from an
administration and name-space point of view if I could set
this up as a child domain. Any thoughts?

Pete.
>-----Original Message-----
>Hi Pete,
>
>Microsoft changed its opinion on domain being security
boundary due to some
>possible exploits. Now the security boundary is the
forest.
>
>While transitive trust can provide easy access between
domains (e.g. domain
>A and B) user B will still need permissions on resources
in domain A to
>access e.g. shares (and the other way around).
>So if you have a share in domain A that will allow domain
users (this will
>be A\Domain Users) full control, this will not allow user
in domain B to
>access this share. To allow users in domain B to access
this share,
>administrator or other user with appropriate permissions
will have to add
>B\Domain Users to this share and grant them necessary
permissions...
>
>If you allow default Windows 2000 permissions (everyone
full control) that
>will allow users from domain B to access resources in
domain A...
>
>Mike
>
>"Pete" <anonymous@discussions.microsoft.com> wrote in
message
>news:1d2501c4ac4a$5f4ce9d0$a601280a@phx.gbl...
>> Question:
>> If I add a child domain is it ok to remove one of the
>> trusts from the transitive trusts that are automatically
>> generated (so child domain trusts parent but not the
other
>> way around) or will this be re-instated by W2000.
>>
>> Reason:
>> Looking to add a domain into our name space but don't
want
>> administrators of the new domain to have access to other
>> domains.
>>
>> Taken from Microsoft Documentation:
>> Important
>> Previously published Active Directory documentation
states
>> that a domain is a security boundary, but this
>> documentation does not provide specific details about
the
>> level of autonomy and isolation that is possible among
>> domains in a forest. Although a domain is, in fact, a
>> security boundary with regard to the management of
>> security policies for Active Directory, it does not
>> provide complete isolation in the face of possible
attacks
>> by service administrators
>>
>
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <15df01c4ac57$3dd66710$a401280a@phx.gbl>, in the
microsoft.public.win2000.security news group, Pete
<anonymous@discussions.microsoft.com> says...

> Thanks for the response.
>
> The domain we are going to add will be managed by external
> contractors, they will have admin rights on this domain.
> As I understand it with Transitive trusts they would
> automatically have admin rights on the parent domain,

No, this is not true, however, there are a number of ways that a domain
admin in a child domain could make themselves an admin anywhere else in
the forest. It doesn't happen automatically, but it can be done.
Manipulating SID history is one way this can be accomplished.

You can learn more about this in the following white paper:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie
s/activedirectory/maintain/bpguide/part1/adsecp1.mspx

or

http://tinyurl.com/4etnu

> but
> if I am able to remove the trust from child to parent
> (preventing parent from trusting child) then this would
> solve the problem. Although I would (I think) have to
> remove trusts from the other child domain within the
> forest.
>
> If I did this would the trusts be automatically re-built
> by W2000? or by W2003 when we upgrade?

You can't do this. This is a non-starter.

>
> Perhaps I'm better off creating a separate forest and
> register another domain name? It would be nice from an
> administration and name-space point of view if I could set
> this up as a child domain. Any thoughts?

This is really your only option. Details in the white paper.


--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Domain administrator in domain B can't by default administer domain A even
if there is transitive trust between domains. For administrator in domain B
to manage domain A, he would have to be in "A\Domain Administrator" group
while by default he will only be in "B\Domain Administrtor" group... Same
goes the other way...

Transitive trust means e.g. if A trust B and A trust C then B trust C and C
trust B. But still administrator in domain B is not administrator in domain
C unless administrator in domain C designates him as such (adds him
appropriate permissions in domain C)...

In e.g. Windows NT, when domain A trusted domain B and domain C and you
required also trust between B and C you had to create separate trustees --
which made large organization hard to manage due to large number of
trusts...

You don't have to buy new domain name for separate forest. You could
implement domain e.g. domain.local or domain.ad, etc...

Active Directory Services and Windows 2000 or Windows Server 2003 Domains
(Part 1)
http://support.microsoft.com/default.aspx?scid=kb;en-us;310996&Product=win2000

Mike

"Pete" <anonymous@discussions.microsoft.com> wrote in message
news:15df01c4ac57$3dd66710$a401280a@phx.gbl...
> Thanks for the response.
>
> The domain we are going to add will be managed by external
> contractors, they will have admin rights on this domain.
> As I understand it with Transitive trusts they would
> automatically have admin rights on the parent domain, but
> if I am able to remove the trust from child to parent
> (preventing parent from trusting child) then this would
> solve the problem. Although I would (I think) have to
> remove trusts from the other child domain within the
> forest.
>
> If I did this would the trusts be automatically re-built
> by W2000? or by W2003 when we upgrade?
>
> Perhaps I'm better off creating a separate forest and
> register another domain name? It would be nice from an
> administration and name-space point of view if I could set
> this up as a child domain. Any thoughts?
>
> Pete.
> >-----Original Message-----
> >Hi Pete,
> >
> >Microsoft changed its opinion on domain being security
> boundary due to some
> >possible exploits. Now the security boundary is the
> forest.
> >
> >While transitive trust can provide easy access between
> domains (e.g. domain
> >A and B) user B will still need permissions on resources
> in domain A to
> >access e.g. shares (and the other way around).
> >So if you have a share in domain A that will allow domain
> users (this will
> >be A\Domain Users) full control, this will not allow user
> in domain B to
> >access this share. To allow users in domain B to access
> this share,
> >administrator or other user with appropriate permissions
> will have to add
> >B\Domain Users to this share and grant them necessary
> permissions...
> >
> >If you allow default Windows 2000 permissions (everyone
> full control) that
> >will allow users from domain B to access resources in
> domain A...
> >
> >Mike
> >
> >"Pete" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:1d2501c4ac4a$5f4ce9d0$a601280a@phx.gbl...
> >> Question:
> >> If I add a child domain is it ok to remove one of the
> >> trusts from the transitive trusts that are automatically
> >> generated (so child domain trusts parent but not the
> other
> >> way around) or will this be re-instated by W2000.
> >>
> >> Reason:
> >> Looking to add a domain into our name space but don't
> want
> >> administrators of the new domain to have access to other
> >> domains.
> >>
> >> Taken from Microsoft Documentation:
> >> Important
> >> Previously published Active Directory documentation
> states
> >> that a domain is a security boundary, but this
> >> documentation does not provide specific details about
> the
> >> level of autonomy and isolation that is possible among
> >> domains in a forest. Although a domain is, in fact, a
> >> security boundary with regard to the management of
> >> security policies for Active Directory, it does not
> >> provide complete isolation in the face of possible
> attacks
> >> by service administrators
> >>
> >
> >
> >.
> >

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

<snip>

> No, this is not true, however, there are a number of ways that a domain
> admin in a child domain could make themselves an admin anywhere else in
> the forest. It doesn't happen automatically, but it can be done.
> Manipulating SID history is one way this can be accomplished.
>
> You can learn more about this in the following white paper:
>
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie
> s/activedirectory/maintain/bpguide/part1/adsecp1.mspx
>
> or
>
> http://tinyurl.com/4etnu

IIRC you can protect yourself from this kind of exploits by preventing
anyone without high level of trust from physical access to DC (prevent
someone to boot into alternative OS by inserting CD or floppy disk and
changing /copy data from the server) - if this can be accomplished. This
should protect the company from e.g. SID spoofing attack...

I agree that separate forest would be best solution...

Mike

<snip>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

In article <#oaNcYGrEHA.2964@TK2MSFTNGP14.phx.gbl>, in the
microsoft.public.win2000.security news group, Miha Pihler <mihap-
news@atlantis.si> says...

> IIRC you can protect yourself from this kind of exploits by preventing
> anyone without high level of trust from physical access to DC (prevent
> someone to boot into alternative OS by inserting CD or floppy disk and
> changing /copy data from the server) - if this can be accomplished. This
> should protect the company from e.g. SID spoofing attack...
>

No, this is simply not the case, and is the whole basis behind the
comment that the only true security boundary is the forest.
A domain admin's ability to manipulate the SID history has nothing at
all to do with physical access to a DC. It is a function of the simple
fact that they are domain admins.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.