Is 'security' provided by AD trusts worthless ?

  • Thread starter Thread starter Magoo
  • Start date Start date
M

Magoo

Imagine I setup an one way trust between two forests, where "Mystudent"
trusts "Mystaff" forest. Then I manage to separate resources (file servers,
printers) for both staff and students.

How such one way trust and forest/domain separation could give me additional
security ?
Imagine a "student" logged on to the student domain attempts to query and
brake accounts out of "mystaff" domain:

I have an AD fellow here that tells me that such security provided by
isolating the domain is very minimal and worthless.

Please confirm.
 
Magoo said:
Imagine I setup an one way trust between two forests, where "Mystudent"
trusts "Mystaff" forest. Then I manage to separate resources (file servers,
printers) for both staff and students.

How such one way trust and forest/domain separation could give me additional
security ?
Imagine a "student" logged on to the student domain attempts to query and
brake accounts out of "mystaff" domain:
Click to expand...

This is not good example - If you will have a service which will be
avilable in internet, for example SMTP with authentication in domain,
any person in the world can try to query and break Your accounts
security by trying to guess the password.

The only way to protect against it is set some rules like password
policy and account policy.

Beside your situation with staff and students and talking about general
situation - when you have some resources in two separated divisions or
companies, and you have to share some resources between these divisions
it is better to built separated networks and then put some connection
between these organisation to share only specified resources then to put
both organisation on the same "wire" and then working on providing
some security in this environment.

Remeber that when you have two domain You also have domain admins in
both domains - in one forest You cann't be sure thath domain admin from
one domain will not get rights in other domain.

Using trusts you can separate administrators role - administrator from
forest A can be ordinary user in forest B and You can built one way
trust relationship, you can't do this in single forest with multiple domain.
I have an AD fellow here that tells me that such security provided by
isolating the domain is very minimal and worthless.
Click to expand...

If You want to control access to resources in mystaff domain on the
trusts between forests You can take advantage of selective
authentication functionality, which lets You control accesss to the
resources in very strict manner:
http://www.microsoft.com/technet/pr...ons/9266b197-7fc9-4bd8-8864-4c119ceecc00.mspx

These are few things which comes to my mind now - I will be glad to get
to know your friends arguments about this that forest doesn't provide
additional security in AD design.

It's late here (in my time zone) and myabe my thought wasn't clear
 
In my case, politics or separation of domain administration is not an issue.
If I create a separate domain-forest for "students", the domain
administrator for both domains would be the same individual. That means a
separate domain-forest won't me help there.
My case is really protecting payroll, accounting, financial, student
database records against students since students don't need to access those
resources in the first place. As we already know, if a student can put
connect his laptop to the same subnets where staff is connected to, honestly
I can't see how a separate logical boundary such as an additional domain
would help. Correct if I am wrong, but this idea of separate forests-domains
will make sense only the day that I can also provide separate
subnets/networks to my student population. Otherwise it seems that the
hassle of setting up a logical forest boundary doesn't make a lot of sense
indeed.
 
Magoo,

Maybe I am missing something here. But trusts simply afford us the
possibility of accessing objects ( resources ) in other domains. It is the
NTFS and Share permissions that control who can access what. Or am I
missing something?

If the problem is that you can not trust the Domain Admin(s) then this is
not a technical problem but an HR problem. I was a Domain Admin and an
Enterprise Admin where I used to work. I had access to
everything.....offers, negotiations for movie contracts, payroll and
everything. I never thought - not for a split second - about taking
advantage of this. And I am pretty sure that no one every suspected that I
might be sneaking around. If there are suspicions that the Admin is doing
this then this needs to be handled. But it is not a technical issue.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



Magoo said:
In my case, politics or separation of domain administration is not an
issue. If I create a separate domain-forest for "students", the domain
administrator for both domains would be the same individual. That means a
separate domain-forest won't me help there.
My case is really protecting payroll, accounting, financial, student
database records against students since students don't need to access
those resources in the first place. As we already know, if a student can
put connect his laptop to the same subnets where staff is connected to,
honestly I can't see how a separate logical boundary such as an additional
domain would help. Correct if I am wrong, but this idea of separate
forests-domains will make sense only the day that I can also provide
separate subnets/networks to my student population. Otherwise it seems
that the hassle of setting up a logical forest boundary doesn't make a lot
of sense indeed.
Click to expand...
 
IMO.

The big wins for separate internal production forests are

1. Administrative separation as Tomasz layed out. As he indicated, you can't
protect a forest from a rogue admin in any given domain. If you have the same
people managing all domains in both forests, this is moot.

2. Exchange separation. This is both for functionality as well as security.
Exchange Dev kind of screwed the pooch with their security model and if you want
different Exchange and AD Admins it can be difficult to implement in a single
forest architecture. Also if you have a multidomain forest it is often very
smart to pull Exchange into a separate single domain forest for functionality
reasons. Basically Exchange has some serious issues in multidomain forests
unless you configure things in very special ways.

3. Easy breakup for divestiture.


A company will also break out separate forests for Test environments (especially
testing of AD applications or schema mods) and for internal/external resource
separation, i.e. DMZ/B2x utilization.


If you don't have one of the reasons above I would be hesistant to confuse the
architecture and that is exactly what multiple forests (or even multiple
domains) will do for you. It adds considerable management overhead. The
reasoning behind doing it should be good.


Something you can do is stuff all of the important needs to be hidden info into
AD/AM and just use AD for NOS operations. AD/AM can easily be locked down to the
point where students won't get much if anything with AD/AM still being on a
member server in the same domain/forest so you are able to use your domain as
the auth source.

AD can be locked down a little better now with the confidentiality bit that is
available in K3 SP1 but I would still recommend pushing the confidential data to
AD/AM before trying to hide it in AD.

joe
 
Thanks much Joe. No, in my organization domain admins will be the same for
students and staff. There is no need for domain administration separation in
the foreseeable future here. I will be looking into your ADAM suggestion
though, that looks interesting.
 
Back
Top