|Subject:||Re: Forest = Security Boundary?|
|Posted by:||Herb Martin (ne…@LearnQuick.com)|
|Date:||Mon, 12 Feb 2007|
"Gabriel/TFI" <GabrielT…@discussions.microsoft.com> wrote in message
>I am reading the great book "Active Directory 3rd Edition" by Joe Richards
Maybe Joe will (also) responds; his is one of the most helpful posters on
the AD groups.
> In Chapter 8, "Designing the Namespace", it is said that "The Forest, not
> the domain, is the security boundary for AD. Anyone with high-level access
> rights on any domain controller in any forest can negatively impact or
> control of any other DC or domain in the forest".
> I thought that the domain was the security boundary! :-(
It is, but only sort of, or in certain ways. The problem and the confusion
is that with trusts the boundary gets extended to all TRUSTED domains,
and since all of the domains in a forest trust each other the boundary in
some real sense expands to encompass the entire forest.
> - Does this mean that delegating administrative privileges over domains
> (e.g. different BUs) is a bad practice?
No. It just means that your have to recognize that you aren't achieving
"complete autonomy" as long as you are in the same forest.
> - How can an evil-administrator of a child domain compromise another
> or the entire forest? What tecniques can be used to achieve this?
There are a variety of things -- let's see if Joe will post a list....
Herb Martin, MCSE, MVP
(phone on web site)
Forest = Security Boundary? posted by Gabriel/TFI on Mon, 12 Feb 2007