Re: Configure an Empty Root in Active Directory
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 04/30/05
- Previous message: Roger Abell: "Re: EFS and transparent file sharing on XP pro"
- In reply to: TrueTec: "Re: Configure an Empty Root in Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 30 Apr 2005 12:59:23 -0500
No problem and good luck. --- Steve
"TrueTec" <TrueTec@discussions.microsoft.com> wrote in message
news:DF066D4A-4248-42CB-B16F-AC11001AE9BB@microsoft.com...
> Thanks for spending the time to respond to my post, It helped me clarify
> some
> of the questions I was concerned about protecting the network from
> intruders.
> --
> James
>
>
> "Steven L Umbach" wrote:
>
>> The link below explains why some consider the empty root domain. It
>> basically is used to control the enterprise admins group so that the
>> administrators in the root domain can not abuse their powers for child
>> domains. If all "active" domains are child domains then they are
>> considered
>> equal as far as the power of a domain admin in each domain. The domain
>> administrator and all other admin groups in the root domain would then be
>> closely controlled and limited. Unfortunately for what your propose to
>> do,
>> an empty root domain would not offer any security benefit because if the
>> root domain in the forest has been compromised, then the while forest has
>> been compromised since the attacker now has enterprise admin powers in
>> the
>> forest. Also there are ways that a skilled malicious domain admin in any
>> domain in a forest could possibly gain domain admin powers in any domain
>> in
>> the forest and because of such separate forests should be used if that is
>> a
>> concern. For forest or external trusts you would want to make sure that
>> sid
>> filtering is enabled [which it is by default] to remove that
>> vulnerability
>> as shown in the second link below.
>>
>> http://www.windowsitpro.com/Article/ArticleID/23521/23521.html
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/01e5cf71-b317-4967-82a2-75b7b632b746.mspx
>>
>> To protect your domain it would be good to read the Windows 2003 Server
>> Security Guide for how to improve such with strong password policy,
>> auditing, patch management, antivirus protection strategy, operating
>> system
>> hardening and using baseline security templates, prudent usage of domain
>> admin credentials, only giving trusted and competent people domain admin
>> powers, and physical security for sensitive computers - particularly
>> domain
>> controllers. --- Steve
>>
>> http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx
>> -- Windows 2003 Server Security guide
>>
>> "TrueTec" <TrueTec@discussions.microsoft.com> wrote in message
>> news:A901D807-B317-4C93-A020-A3D68DB67F89@microsoft.com...
>> > I'm in the process of configuring an active directory domain in windows
>> > 2003
>> > server and I want to setup an empty root to protect my domain objects
>> > such
>> > as
>> > user accounts and domain objects from attempted breaches of security so
>> > if
>> > someone breaches the domain to won't see any object to tamper with. If
>> > anyone
>> > could help me I would appreciate it greatly.
>> > --
>> > James
>>
>>
>>
- Previous message: Roger Abell: "Re: EFS and transparent file sharing on XP pro"
- In reply to: TrueTec: "Re: Configure an Empty Root in Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
