Re: Forest = Security Boundary?

Giganews Newsgroups
Subject: Re: Forest = Security Boundary?
Posted by:  Joe Richards [MVP] (humorexpre…
Date: Mon, 12 Feb 2007

forest != security boundary

The domain is a replication and domain policy boundary, not a security
boundary. Initially the MSFT docs and a very poor Lucent paper were
saying the domain was a security boundary and then I and several others
started tearing that theory apart.

As to whether the delegation is bad or not depends on what you mean by
delegation... If you mean ability to modify basic AD objects, then that
is likely fine. If you mean giving out admin or accop or servop or
backop or any of the builting groups to someone other than a Domain
Admin, then yes that is bad.

> - How can an evil-administrator of a child domain compromise
> another domain
> or the entire forest? What tecniques can be used to achieve this?

There are several methods and since they cannot be blocked it would be
irresponsible to post this kind of information. I simply can assure you
that there are both relatively simple/common methods that anyone with
basic AD skills can pull off and more subtle mechanisms that require
special tools and knowledge.

And don't limit yourself to evil admins... Consider admins with bad
habits or slightly less informed than they should be which run an
application which happens to be smart enough to do this damage. Back in
the "early days" around 2000/2001 I wrote a proof of concept executable
that would escalate itself from server operator to Enterprise Admin and
then wipe out the entire forest. It usually could do it in less than 30
minutes from start to end though whomever ran the executable was done
with their part in about 50ms. Once it had Enterprise Admin, it actually
could wipe the forest out so that no authentication could occur within
about 15 seconds and all DCs were on the floor. Size of forest really
wasn't an issue, whether it was 10 DCs or 1000 the timing would be all
about the same.

If you truly need security separation between business units, you need
to go with separate forests. Also if you absolutely must have different
administrators for different domains, I recommend going with multiple
forests or fighting that requirement. It is very feasible to run global
Enterprise level companies with 3-4 Enterprise Admins who are the only
folks with native rights to AD and the DCs. I ran one of the largest
(fortune 5 with 400 DCs and 250,000 users) with 2 other guys that way.
It is still running that way 7 years since the launch of AD at that
company. AD is one of the smoothest most secure running systems they
have and that is the way it should be, it is the core of the security
for the entire Windows Infrastructure.



In response to

Forest = Security Boundary? posted by Gabriel/TFI on Mon, 12 Feb 2007