Establishing secure Active Directory boundaries - Part 2

Part two of a tip on organizing your Active Directory trees as securely as possible.

Click here to read Part 1 of this tip.

When designing the layout of your domains and forests, keep in mind the issues of intranet vs. extranet. In this instance an extranet is any network that is not exclusively private. So an extranet could include a border network, a perimeter network, a buffer network, a DMZ or any network hosting publicly (read Internet) accessible systems. The domain controllers in any domain with direct or near-direct Internet connectivity are at risk of compromise. If a domain controller is attacked and compromised, it could result in data disclosure or alteration by unauthorized external intruders. Often a breach of security of your extranet can also lead to intrusion of your intranet.

In order to minimize this risk, deploy distinct and separate services in the extranet rather than relying upon the services in the intranet. This should involve deploying a separate forest for extranet domains to completely separate private network data from externally accessible network data. Likewise, any administrator responsible for privileged tasks in the intranet and extranet should use different and distinct user accounts in order to maintain and support the separation. Only through the establishment of this security barrier of "empty space" or non-linking of services and resources can you be assured that an extranet intrusion does not lead to an intranet intrusion as well.

While it is possible and often desirable to establish trusts between forests, it is important to maintain a separation between intranet forests and extranet forests. However, within the intranet or within the extranet, there may be multiple forests due to departmental political issues or separations of administration and responsibility. Often being able to use security principles (i.e. user accounts and resources) from one domain of a forest in a domain of another forest is beneficial. In order to support this functionality, Windows 2000 and Windows 2003 Active Directory forest support two forms of trusts: external and forest trust. An external trust links two domains in separate forests. It can be a one-way or a two-way trust, but it is always a non-transitive trust. A forest trust is a link between two forests so all domains in one forest trust all the domains in another forest. Forest trusts can be a one-way or a two-way trust, but it is always a transitive trust.

The use of trusts raises the issues of SID spoofing for privilege escalation and rogue administrators. I'll discuss these issues and countermeasures in next week's tip.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in February 2004

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close