Forest = Security Boundary?

Giganews Newsgroups
Subject: Forest = Security Boundary?
Posted by:  Gabriel/TFI (GabrielT…@discussions.microsoft.com)
Date: Mon, 12 Feb 2007

I am reading the great book "Active Directory 3rd Edition" by Joe Richards &
Co.
In Chapter 8, "Designing the Namespace", it is said that "The Forest, not
the domain, is the security boundary for AD. Anyone with high-level access
rights on any domain controller in any forest can negatively impact or take
control of any other DC or domain in the forest".

I thought that the domain was the security boundary! :-(
- Does this mean that delegating administrative privileges over domains
(e.g. different BUs) is a bad practice?
- How can an evil-administrator of a child domain compromise another domain
or the entire forest? What tecniques can be used to achieve this?

Thanks,
Gabriele

Replies