| Author |
 Topic  |
|
|
davidsmi
Welcome Newcomer
Canada
2 Posts
Status: offline |
 Posted - 07/11/2012 : 12:09:40 PM
|
Back to the old question of when to create a new Domain / OU or Forest.
This is a situation of a customer who is running some very secure servers, but would like to save money by using their corporate forest or domain.
I have pointed out that they have minimal exposure to new risks by using an existing domain...
* Domain / Enterprise Administrators
* Policy changes - passwords, GPOs
* Service issues - there outage is your outage
On the possitive side I've pointed out...
* Lower operational costs (less people and servers)
* The AD Team may do a better job of running / securing AD then your team
Thoughts - has this changed at all with Windows 2008 R2?
David
|
|
|
Jazzy
Administrator
Netherlands
1926 Posts
Status: offline |
Posted - 07/11/2012 : 12:22:14 PM
|
| A domain is not a security boundary, a forest is. A domain administrator can gain access to Enterprise Admins fairly easy, thus can control every domain in the forest. |
Jetze Mellema
Exchange specialist
Former MVP (2005-2012)
My blog: http://jetzemellema.blogspot.com (Dutch)
My company: http://www.imara-ict.nl/ |
 |
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 07/11/2012 : 12:56:41 PM
|
> has this changed at all with Windows 2008 R2?
No, not at all. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
davidsmi
Welcome Newcomer
Canada
2 Posts
Status: offline |
Posted - 07/11/2012 : 1:00:10 PM
|
I agree Enterprise Admins can do as they please, and smart ones can make it hard for you to figure it out!
But what about Domain Admins - can they still make themselves Enterprise Admins in a reasonable fashion?
I want good security - but you have to trust someone - for example your VMware administrators could take home your images and hack them.
|
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 07/11/2012 : 2:45:39 PM
|
> but you have to trust someone
Well, that's true. And virtualization admins are a good example. So we need to talk about what you mean by "secure". Secure against what? External or internal people? If internal, which ones?
For instance, if you are not careful some unexpected people may have access to your secure server. In addition to those mentioned, what about storage admins, backup operators, cleaners, perhaps delegated admins having control over critical groups, etc...
> But what about Domain Admins - can they still make themselves Enterprise Admins in a reasonable fashion
Not as easy as it was. But yes, the sidHistory injection attack still works. So another domain in the same forest has no value, from a security perspective. On the other hand, with the same effort you have a new single-domain forest that is definitely more secure. And trust relations can be locked down pretty well, nowadays.
Start with the people you need to trust, and take it from there. |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
| |
Topic |
|
New OU / Domain or Forest
