AD design question....again

[phil2627]

We are in a school district with 500 staff and 4000 non staff. We are
still undecided on the model, but know the following
- only real secure model is separate forest, where staff could be in
one and non staff in the other and setup trusts to have certain staff
access resources in other forest
- One forest, domain model is simple, and the suggested way to go
unless there are political or admin delegation reasons
- empty domain model would not "secure" the enterprise admin
accounts. But, can Domain admins in a child domain access the
enterprise admin group without physical access to the servers ?

We would like to go with the single domain as, if we secure the
administrator account, no user should be able to gain access to the
domain admin or enterprise admin group.

With the Empty Root model the enterprise account is in it's own domain
which somewhat secures it, but this model requires more hardware.

If someone could please explain how a person in a child domain can
gain access to the enteprise account and compromise the security of
the forest overall I can go on with completing our single domain
model. Thanks.

 

[Joe Richards [MVP]]

What do you want to secure against? If you are just going to have
students and teachers as users and one set of admins, you shouldn't need
security that requires separate forests. You get separate forests when
you can't trust the different sets of admins.

On your final question "can someone explain how someone in a child
domain can compromise the forest security"... No I hope no one does tell
you. It isn't something people should be explaining in public forums
because there is nothing you can do about it. Just know that it is
indeed quite easily possible for someone with control of any single DC
In the forest to gain control over the entire forest. At the very end of
the scale someone could start with ONLY physical access to a DC and at
the other end you could start with someone with server op or
administrator rights on a DC with no physical access. It is just a
matter of hops to get to Enterprise Admins. Just as soon as Microsoft
changes the core design of AD enough such that this type of escalation
can be completely blocked and I apply it for all of my customers, I
would be happy to describe how to do this in rich detail.

Note that the problem isn't just with "the administrator" account. Any
account with too many rights to the domain or DCs is a problem. This
includes EAs, DAs, ServOps, PrintOps, Backup Ops, people with
interactive logon rights to DCs, people with ability to modify system
files or services on DCs including printers.

Set up a single domain forest if you have no real reasons to do
otherwise and have a small set of people, say 3-5 tops who are DA/EA
level rights and everyone else are normal users with some people with
delegated rights to manipulate data in the directory.

The main technical reason for having separate domains in a single forest
is the desire to have different password policies. In longhorn AD due
out at the end of this year it is no longer necessary to have multiple
domains to have multiple policies.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[phil2627]

What do you want to secure against? If you are just going to have
students and teachers as users and one set of admins, you shouldn't need
security that requires separate forests. You get separate forests when
you can't trust the different sets of admins.

On your final question "can someone explain how someone in a child
domain can compromise the forest security"... No I hope no one does tell
you. It isn't something people should be explaining in public forums
because there is nothing you can do about it. Just know that it is
indeed quite easily possible for someone with control of any single DC
In the forest to gain control over the entire forest. At the very end of
the scale someone could start with ONLY physical access to a DC and at
the other end you could start with someone with server op or
administrator rights on a DC with no physical access. It is just a
matter of hops to get to Enterprise Admins. Just as soon as Microsoft
changes the core design of AD enough such that this type of escalation
can be completely blocked and I apply it for all of my customers, I
would be happy to describe how to do this in rich detail.

Note that the problem isn't just with "the administrator" account. Any
account with too many rights to the domain or DCs is a problem. This
includes EAs, DAs, ServOps, PrintOps, Backup Ops, people with
interactive logon rights to DCs, people with ability to modify system
files or services on DCs including printers.

Set up a single domain forest if you have no real reasons to do
otherwise and have a small set of people, say 3-5 tops who are DA/EA
level rights and everyone else are normal users with some people with
delegated rights to manipulate data in the directory.

The main technical reason for having separate domains in a single forest
is the desire to have different password policies. In longhorn AD due
out at the end of this year it is no longer necessary to have multiple
domains to have multiple policies.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm








- Show quoted text -

Very thorough answer sir. Working backwards, we purchased software to
do password policies at the OU level, so we are covered there
regarding policies. So that eliminates the empty or root domain. I
know you and others are right about the securing the admin account,
but it is reassuring to know others are doing the same thing. Someone
reference you in another post as to you alluding to obtaining Ent.
admin access, but not going into detail and now I know why. Makes
sense. Thanks again.

 

[Brian Desmond [MVP]]

I replied to this in the other group. Try not to multipost.

--
Thanks,
Brian Desmond
Windows Server MVP - Directory Services

www.briandesmond.com

 

[Roger Abell [MVP]]

What do you want to secure against? If you are just going to have students
and teachers as users and one set of admins, you shouldn't need security
that requires separate forests. You get separate forests when you can't
trust the different sets of admins.

or . . .
when you cannot trust in the skill-level of one set of admins.

With multi-forest, security sensitive infomation is much more
simple, as you have an added control over the meaning of
Authenticated Users in the forest with the sensitive data.
In a single forest, great care must be exercised in how any
and all machines allowed to touch that data are configured.

On your final question "can someone explain how someone in a child domain
can compromise the forest security"... No I hope no one does tell you. It
isn't something people should be explaining in public forums because there
is nothing you can do about it. Just know that it is indeed quite easily
possible for someone with control of any single DC In the forest to gain
control over the entire forest. At the very end of the scale someone could
start with ONLY physical access to a DC and at the other end you could
start with someone with server op or administrator rights on a DC with no
physical access. It is just a matter of hops to get to Enterprise Admins.
Just as soon as Microsoft changes the core design of AD enough such that
this type of escalation can be completely blocked and I apply it for all
of my customers, I would be happy to describe how to do this in rich
detail.

Note that the problem isn't just with "the administrator" account. Any
account with too many rights to the domain or DCs is a problem. This
includes EAs, DAs, ServOps, PrintOps, Backup Ops, people with interactive
logon rights to DCs, people with ability to modify system files or
services on DCs including printers.

Set up a single domain forest if you have no real reasons to do otherwise
and have a small set of people, say 3-5 tops who are DA/EA level rights
and everyone else are normal users with some people with delegated rights
to manipulate data in the directory.

The main technical reason for having separate domains in a single forest
is the desire to have different password policies. In longhorn AD due

There is one other main reason - avoidance of the time/knowledge
needed to properly delegate in a single domain and of the on-going
coordination overheads.