Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Subdomain security

from [Laura A. Robinson] Network Security [Permanent Link]
Subject: RE: Subdomain security
Date: Fri, 17 Dec 2004 18:54:29 -0500 
<snippage>


I have to install a *secure* windows domain inside an 
insecure network.
This means that my domain will be behind a firewall ofcourse.

Now, I've got two possibilities for the domain configuration:


No, you have one possibility, based on the above.


Option 1: My domain would actually be a subdomain inside the 
insecure forest.


Nope. Domains are not security boundaries.


Option 2: Create a totally new forest.


Your only option if you do not trust the forest owners.



So, surely option #2 is more secure, but the management 
pushes to choosing option #1. so.. few questions about option #1:

a. Which ports should be opened by the firewall in order for 
the subdomain to function well but be the most secure? Any references?


I think that's been answered for you, so I'll skip it. :-)


b. Does an admin (a member of the Enterprise Admin group) 
from the root-domain have access to my subdomain?


Yes.


Can I 
prevent it at all?


No. I could go on and on and on, but in the end, it all comes down to this:

An Administrator, Domain Admin or Enterprise Admin (regardless of which
domain we're talking about with the obvious exception of the Enterprise
Admins group) can take control of the entire forest. Therefore, domains are
not security boundaries *regardless* of how you structure them. Forests are
security boundaries. 


c. Do you know any networks that implement option #1 with a 
firewall and think they're quite secure from the other 
domains,


Can't do it. All domains in a forest *must* replicate schema and
configuration partition information, which means you have to open the ports
needed for replication regardless. Conveniently, the configuration partition
is one of the places where a rogue administrator might try to take control
of the forest.


or is it a totally twisted idea?


None of my clients have done it because I tell them why they can't. :-)

Last, read this whitepaper (it's old, but still applicable):

http://www.microsoft.com/windows2000/docs/addeladmin.doc

HTH,

Laura


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: port 411 remote MT protocol?, Mark Ribbans
Next by Date:  Re: Modifying default behaviour of MS VPN client, Barrie Dempster
Previous by Thread:  Subdomain security, Oren Held
Next by Thread:  Re: Subdomain security, Richard_Gardner
Indexes:  [Date] [Thread] [Top] [All Lists]