The following excerpt is from Chapter 2 of the free eBook "Administrator shortcut guide to Active Directory security" written by Derek Melber and Dave Kearns and available at Realtimepublishers.com. Click for the complete book excerpt series.
Select the proper directory structure
The directory structure will be one of the final decisions that come from the AD security and structure planning and testing. The directory structure for AD must go beyond the main directory and include DNS. DNS is an integral part of AD, so much so that AD can't effectively function without DNS. There are many directory structure options, each having advantages that relate to security for the enterprise:
- Single AD domain -- This structure is the ideal structure for any environment. If every security consideration, service, object and application can function in a single domain, it should be the structure that is selected. This structure provides a single point of administration that is easier to secure than a multiple-domain environment. With a single domain, there are no trust relationships or cross-domain permissions to manage.
- Single tree forest -- A single tree is simply multiple domains that share a domain suffix. With a single tree, all of the benefits of a single domain are lost. There will be a trust relationship between all domains in the tree. User accounts from each domain will be able to access resources in all other domains, if they are given permission to do so. There will be multiple Domain Admins groups -- one for each domain. There will be multiple account policies that need to be designed and maintained. The GPO administrative overhead increases with each new domain that is considered in the structure, because each domain keeps track of its own GPOs.
- Multiple tree forest -- A multiple tree forest structure is identical to a single tree forest with regard to security considerations. There are simply more domains and domain suffixes that need to be implemented.
- Empty root -- An empty root structure is one in which the first domain (root domain) is designed so that it does not include any user or computer accounts. The other child domains under the root domain will contain all of the user and computer accounts. This setup is beneficial from a security perspective in that the Enterprise and Schema Admins groups are isolated from other users and administrators. With this design, a few administrators can be selected to control the Enterprise and Schema Admins groups, and all other administrators reside in the child domains, configured to be Domain Admins.
- Forest trust -- New to WS2K3 is an option called the forest trust. The forest trust allows companies that have their own AD environment to "splice" their environments together. This splice does not share a schema, but it does allow all user and computer objects from one forest to access resources in the other forest. The forest trust has advanced hardware and OS requirements: All domain controllers need to be running WS2K3, and the domain and forest functional levels need to be increased to WS2K3 levels.
- DNS -- DNS is the service that AD uses to resolve computer names and AD services for client computers, servers, and domain controllers. AD will not function without DNS. Therefore, it is essential to consider DNS in the design of AD and the security of AD. Some of the DNS security considerations with respect to AD include:
- AD integrated zones -- When a DNS zone is integrated with AD, it stores the DNS database in the AD database. The benefits of this functionality include fault tolerance, management and authentication of computers attempting to update DNS records.
- Secure dynamic updates -- DNS now supports dynamic updates, which allows the computer to communicate with DNS to exchange computer name and IP address information to update the DNS database. The problem with this solution is that almost anyone can "spoof" the computer name and IP address, which will redirect communications from the valid computer to the spoofed computer. If secure dynamic updates are configured, the spoofing computer must be validated by the AD domain before it can update any records in the DNS database.
- DNS ACLs -- When a computer securely updates its DNS records, the records become the owner of the entry. This setup further protects DNS and AD, such that only the registering computer can update that record from then on.
Click for the next excerpt in this series: Delegation of administration.