Forest choice design implications

Active Directory (AD) and the Security Accounts Manager (SAM) represent the cradle of security in any Windows Server 2003 (or earlier) domain. An AD network (whether a single forest containing a single domain, or multiple domains, or an AD network of multiple forests) is only as secure as the administrative practices of the enterprise or organization.

The notion that highly sensitive resources can only be secured in their own domains or forests because of the administrative and security boundaries provided by them is at best misguided and at worst a misnomer. Any value factored in from the utility of the administrative or security boundary is quickly eroded by the administrative burden in operating and managing multiple domains and forests.

Technically, a domain affords multiple entities of an enterprise (such as the subsidiaries of a company) the capability to organize and administer their own security policy, their own group policy, their own distributed file system, and so on. However, the domain boundary does not necessarily make it more secure. The reason is simple: The domains in a single forest trust each other through bi-directional, implicit, transitive trusts, and, thus, the domains are not separated by impenetrable security.

Only a separate forest fully secures two domains from each other because the trusts are not transitive, are not bi-directional, and must be explicitly created (such as the trusts between NT 4.0 domains and the trusts between Windows Server 2003 and other NOSs such as a Unix realm). However, when forests are managed by the same team of people, or resources need to be shared between them, the administrative boundaries tend to erode and are thus penetrated far easier and far quicker, and often without the knowledge of the organization, than the boundaries of a single resource domain. Doors will be inevitably opened to ease the administrative burden.

All that is needed to bring down the domain or forest boundaries is the compromising of the key administrator accounts. It is clear that if a single organization such as MCITY entertains multiple domains and multiple forests, it will result in a far more expensive and awkward architecture for its Active Directory implementation than a single forest and one operations (resource) domain for all companies.

The design and architecture described in this chapter is geared in every way, shape, and form around one operations domain — that is, a forest root domain responsible for forest-maintenance operations. This enables all administrative burdens, resources, and tools to be exploited by a single domain's security and administrative team. The security of the domain is also ensured by installing a granular and hierarchical administrative design, described in this chapter, which is backed by the most sophisticated security mechanisms available to Active Directory and Windows Server 2003.

In this regard, it is critical to be aware that, should it be determined that the single resource domain will be forgone in favor of a multiple-domain model, or possibly a multiple-forest model, this architecture must be significantly reworked to accommodate the new model, at a significantly greater cost in both the short and long terms. The architecture for hardware, software, tools, human resources, and WAN traffic will be significantly affected as a result.

Was this article helpful?

0 0

Post a comment