Tip

Establishing secure Active Directory boundaries - Part 2

James Michael Stewart, Contributor

Click here to read Part 1 of this tip.

When designing the layout of your domains and forests, keep in mind the issues of intranet vs. extranet. In this instance an extranet is any network that is not

    Requires Free Membership to View

exclusively private. So an extranet could include a border network, a perimeter network, a buffer network, a DMZ or any network hosting publicly (read Internet) accessible systems. The domain controllers in any domain with direct or near-direct Internet connectivity are at risk of compromise. If a domain controller is attacked and compromised, it could result in data disclosure or alteration by unauthorized external intruders. Often a breach of security of your extranet can also lead to intrusion of your intranet.

In order to minimize this risk, deploy distinct and separate services in the extranet rather than relying upon the services in the intranet. This should involve deploying a separate forest for extranet domains to completely separate private network data from externally accessible network data. Likewise, any administrator responsible for privileged tasks in the intranet and extranet should use different and distinct user accounts in order to maintain and support the separation. Only through the establishment of this security barrier of "empty space" or non-linking of services and resources can you be assured that an extranet intrusion does not lead to an intranet intrusion as well.

While it is possible and often desirable to establish trusts between forests, it is important to maintain a separation between intranet forests and extranet forests. However, within the intranet or within the extranet, there may be multiple forests due to departmental political issues or separations of administration and responsibility. Often being able to use security principles (i.e. user accounts and resources) from one domain of a forest in a domain of another forest is beneficial. In order to support this functionality, Windows 2000 and Windows 2003 Active Directory forest support two forms of trusts: external and forest trust. An external trust links two domains in separate forests. It can be a one-way or a two-way trust, but it is always a non-transitive trust. A forest trust is a link between two forests so all domains in one forest trust all the domains in another forest. Forest trusts can be a one-way or a two-way trust, but it is always a transitive trust.

The use of trusts raises the issues of SID spoofing for privilege escalation and rogue administrators. I'll discuss these issues and countermeasures in next week's tip.


James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.


This was first published in February 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.