Active Directory Domain Security

[Chris]

We run a very secure NT 4.0 Domain due to confidentiality
of Partner legal documents and databases located on our
file servers. At no time is anyone allowed to access our
file servers or make security changes to our domain from
outside of our domain. We are asked by the Internal
Security Group to upgrade our domain to Windows 2000 and
join the Firm's already established Active Directory
Forest. Our Partnership domain would most likely be added
as an addional Child Domain as apposed to being added as
an Organizational Unit, since Microsoft considers a Domain
to be a 'security boundary'... but we have some concerns.
The big security flaw is that Enterprise Administrators
(EA's) at the Parent level have the ability to add groups
to local domain groups, also access or bypass controls
over our domain's security at any time. My questions
are... 1. what level's of control does a EA have over a
Child Domain? 2. If there are 15 Domain EA's that
administer the entire Organization Structure, how do I
monitor all of these EA's when they try to make changesd
to our domain? Actually, We don't want to trust them so 3.
what can we do without having to set up an entirely
different Namespace or forest? 4. If there are any
restrictions that can set on our domain level, or any
auditing is there much administrative overhead involved?
In general, Enterprise Admins and Schema Admins have
special permissions within an AD forest, by default
allowing them access to all resources.
There are "span of control" implications in the AD model.
Anyone in the forum have any experience in an already
established Parent and Child Domain forest structure and
has applied security controls for this? Thanks!

 

[Danny Sanders]

Your concerns are warranted. With Win 2k the "security boundary" is at the
forest level.

You might look into Win 2k3 to see if this is the same.

hth
DDS W 2k MVP MCSE

 

[Herb Martin]

We run a very secure NT 4.0 Domain due to confidentiality
of Partner legal documents and databases located on our
file servers. At no time is anyone allowed to access our
file servers or make security changes to our domain from
outside of our domain. We are asked by the Internal
Security Group to upgrade our domain to Windows 2000 and
join the Firm's already established Active Directory
Forest.

Joining a Forest creates an AUTOMATIC trust with the parent domain and
an EFFECTIVE trust with all other domains of that Forest; it also gives the
Enterprise Admins membership (and the equivalent access as) the
Administrators
group of your domain.

Note: This is directly counter to your policy. THE PURPOSE of a trust is
to
grant access to resource by users in the trusted domain -- this includes
admin
access of account objects (managed "users" are considered a resource in this
context.)

There is no point in a trust if you don't wish to grant access or allow
management.

NONE.

Our Partnership domain would most likely be added
as an addional Child Domain as apposed to being added as
an Organizational Unit, since Microsoft considers a Domain
to be a 'security boundary'... but we have some concerns.

This (domain) just means you get separate Domain level Group Policy and the
very few specifics (password, kerberos, lockout) restricted to changes at
that level.

The big security flaw is that Enterprise Administrators
(EA's) at the Parent level have the ability to add groups
to local domain groups, also access or bypass controls
over our domain's security at any time.

Actually, if you read above there is likely a basic difference in goals
implied;
if no access will be desired then there is little point in joining the
Forest.
Joining the forest implies that either you will access their resources or
they
will access your resources or you will access theirs.

Now you may wish to access their resources but perhaps that is better
handled
as a manual (one way, non-transitive) EXTERNAL trust from your Domain (as
a separate forest) to the SPECIFIC RESOURCE domain(s) in their Forest.

My questions
are... 1. what level's of control does a EA have over a
Child Domain?
Admin

2. If there are 15 Domain EA's that
administer the entire Organization Structure, how do I
monitor all of these EA's when they try to make changesd
to our domain?

Domain Admins (in their forest) should NOT ALL be Forest Admins in such
cases -- they should limit the EAs to 2 or 3 trusted people and restrict
other
Admins to specific domains. EAs have only a FEW real powers that Domain
Admins do not.

Actually, We don't want to trust them so

That was pretty obvious actually.

3.
what can we do without having to set up an entirely
different Namespace or forest?

A separate "namespace" is NOT necessary and not necessarily even relevant to
your problem -- you can be a CHILD in the DNS namespace and still be a
separate
Forst.

It's not common to do it this way but perfectly legal and may make the most
sense for
you security design.

Just create a new forest -- but make sure that is what you decide is right
because it is
difficult to fix this if that turns out to be a bad decision (also true for
the "plan" they gave
you so work this out NOW.)

4. If there are any
restrictions that can set on our domain level, or any
auditing is there much administrative overhead involved?

No, the purpose of the trusts and forests is to enable certain access.

In general, Enterprise Admins and Schema Admins have
special permissions within an AD forest, by default
allowing them access to all resources.

Schema admins don't have that (and there should be NO schema admins
except during schema changes -- very brief periods.)

ALL Domain Admins should be notified and agree that any schema changes
are appropriate before such are made -- this is part of a proper "Security
policy"
and "Change control policy" for any company of significant size or security
needs.

There are "span of control" implications in the AD model.
Anyone in the forum have any experience in an already
established Parent and Child Domain forest structure and
has applied security controls for this? Thanks!

State you goals explicitly -- their goals explicitly. Negotiate and
recommend to
executive management if there is ANY disagreement among the tech people.

This is a POLICY issue.

 

[Chris]

Herb,

Thanks very much for your valuable insight on this matter.
With this mostly being a policy issue I will definately
address these concerns again with the Enterprise
Networking Group and we'll weigh out all the options and
make a decision. Your feedback has definately helped me
better understand the AD security model. I like your
reccomendation about being added as a CHILD in the same
DNS namespace and still being a separate Forest. I will
look further into this option.

Thanks again!
- Chris

 

[Herb Martin]

You could also suggest hiring me a an architectural consultant for
a day or two to help you folks talk it through and plan a solution. <grin>

I'm easy but I'm not cheap <big grin>

Post again or let me know by email if you just need some casual help or call
Numbers are on my website LearnQuick.Com

 

[Chris]

Where are you located?

-----Original Message-----
You could also suggest hiring me a an architectural consultant for
a day or two to help you folks talk it through and plan a

 

[Herb Martin]

Where are you located?

Austin, TX -- but it doesn't really matter, as I am expensive enough that if
you
can afford me you can afford the expenses <grin>

You can call me for free though.