We are often asked the question: Is it worth creating a separate timber to add to the organization of domains with limited trust relationships? This question is particularly relevant when creating a domain that is available on the Internet, for example, a domain to support the Web-server. In this situation, you can go one of two ways. You can create a separate forest / domain and set it to clear one-way trust relationship to the old method for the main timber to protect the forest from the potential danger emanating from the domain / forest that is connected to the Internet. In this case, you lose the advantage of using a common directory for all domains and there is a need to manage multiple forests. A second option is to add a domain that is connected to the Internet, in an organizational unit (OU) within the domain, which is administered by reliable personnel. The administrator of organizational unit must be able to control only those objects which are in his unit.
Even if the administrator account is compromised, the rest of the timber will be inflicted minimal damage.
The consequences of breaking the domain
So what would happen if the domain is compromised? Suppose a hacker tries to enter the network via a domain controller that is connected to the Internet, or a disgruntled employee decided to play the evil domain administrator. That's what they may try to do, given the weight that has been said in this section about the safety of the forest, wood, and domain.
At least at risk all other domains in the forest, since the members of the Domain Admins group domains in the forest can become owners of the container configuration (Configuration) in Active Directory, change the data in this container and replicate configuration changes on each domain controller of the forest.
If the compromised domain authenticated accounts of external domain, the attacker can get these autentifikaiionnye data from the cache service LSA Secrets (see Chapter 8, "Extending the scope of influence"), extending its influence over other domains in the forest.
And finally, if hacked root domain, members of the Enterprise Admins group and the Schéma Admins can control any parameter of any domain in the forest, unless the rights of members of these groups were not limited by hand.
|