Re: Configure an Empty Root in Active Directory
From: TrueTec (TrueTec_at_discussions.microsoft.com)
Date: 04/30/05
- Next message: Roger Abell: "Re: EFS and transparent file sharing on XP pro"
- Next in thread: Steven L Umbach: "Re: Configure an Empty Root in Active Directory"
- Reply: Steven L Umbach: "Re: Configure an Empty Root in Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 30 Apr 2005 00:23:50 -0700
Thanks for spending the time to respond to my post, It helped me clarify some
of the questions I was concerned about protecting the network from intruders.
-- James "Steven L Umbach" wrote: > The link below explains why some consider the empty root domain. It > basically is used to control the enterprise admins group so that the > administrators in the root domain can not abuse their powers for child > domains. If all "active" domains are child domains then they are considered > equal as far as the power of a domain admin in each domain. The domain > administrator and all other admin groups in the root domain would then be > closely controlled and limited. Unfortunately for what your propose to do, > an empty root domain would not offer any security benefit because if the > root domain in the forest has been compromised, then the while forest has > been compromised since the attacker now has enterprise admin powers in the > forest. Also there are ways that a skilled malicious domain admin in any > domain in a forest could possibly gain domain admin powers in any domain in > the forest and because of such separate forests should be used if that is a > concern. For forest or external trusts you would want to make sure that sid > filtering is enabled [which it is by default] to remove that vulnerability > as shown in the second link below. > > http://www.windowsitpro.com/Article/ArticleID/23521/23521.html > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/01e5cf71-b317-4967-82a2-75b7b632b746.mspx > > To protect your domain it would be good to read the Windows 2003 Server > Security Guide for how to improve such with strong password policy, > auditing, patch management, antivirus protection strategy, operating system > hardening and using baseline security templates, prudent usage of domain > admin credentials, only giving trusted and competent people domain admin > powers, and physical security for sensitive computers - particularly domain > controllers. --- Steve > > http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx > -- Windows 2003 Server Security guide > > "TrueTec" <TrueTec@discussions.microsoft.com> wrote in message > news:A901D807-B317-4C93-A020-A3D68DB67F89@microsoft.com... > > I'm in the process of configuring an active directory domain in windows > > 2003 > > server and I want to setup an empty root to protect my domain objects such > > as > > user accounts and domain objects from attempted breaches of security so if > > someone breaches the domain to won't see any object to tamper with. If > > anyone > > could help me I would appreciate it greatly. > > -- > > James > > >
- Next message: Roger Abell: "Re: EFS and transparent file sharing on XP pro"
- Next in thread: Steven L Umbach: "Re: Configure an Empty Root in Active Directory"
- Reply: Steven L Umbach: "Re: Configure an Empty Root in Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
