A multi-forest Active Directory implementation can be a breeding ground for hackers if it isn't secured from the...
get-go. Yet, "successfully managing multiple forests takes extra effort and people," said Active Directory expert Dave Peterson.
In other words, keeping hackers out and a secure Active Directory functioning well takes time and dedication. To help administrators work smarter, not harder, when managing Active Directory, Peterson, senior product manager, and Marcus Erickson, product architect at NetIQ Corp. offered these tips on securing an Active Directory multi-forest implementation. Peterson and Erickson create tools to secure, administer and manage Active Directory.
Do use SID filtering between forests to prevent potential security exposures, said Peterson. Security Identifiers, or SIDs, are used to represent user accounts within a domain. They determine the various permissions assigned to that account. "In Windows 2000 environments, trust relationships between domains in the same forest have automatic, two-way transitive trusts allowing users from one trusted domain to access a resource in another," he said. Without adequate filtering, Peterson said, a hacker could attach a trusting domain's SID to the authorization data and gain access to a domain without being authorized by the domain.
Don't populate administrative groups from one forest with accounts from outside the forest, Erickson said. "This creates a security vulnerability by breaking down the security boundary between the forests." If one forest is hacked, the hacker may get a bonus by also getting administrative rights in the second forest, he said.
Do plan for additional effort and tools to synchronize information between forests, Peterson said. This is especially true if a forest is built to host the organization's Exchange 2000 environment. "In this case, you will need to synchronize the accounts between the account forest and the Exchange forest," he said. This process is complex but native tools do not provide sufficient support for this type of replication.
Don't think the multi forest Active Directory model guarantees security, Peterson said. You still must carefully plan your security model. "This plan should include the use of trusts between forests, access control lists (ACLs) and group policy objects," he said. Proper use of these technologies creates a very secure network, but improper use opens security holes. For example, said Peterson, "if you grant too many permissions through an ACL, you can accidentally give a user access to resources they shouldn't have." So if you want to give someone permission to change passwords, don't give them full permission over the object, just give them the ability they need.
Do plan on the extra cost of managing a multi-forest implementation. "Plan on providing additional training and processes beyond what would be needed to manage a single forest," said Erickson.
FOR MORE INFORMATION
SearchWindowsManageability has over 35 Windows Management Dos and Don'ts available for you to read