RE: Active Directory network security

>Does anyone have any experience of such a situation?
I am currently in the exact same situation in a migration project at our organization.

>Is it as bad as I fear, or is Microsoft A/D secure?
AD's group policies can be used to keep AD itself pretty secure, but opening up your firewalls or removing them can open up a whole slew of network based attacks (that don't depend on AD) between areas of your organization that were not possible while the firewalls were in place. For example, every member of an AD domain following all the rules and policies can be locked down tightly for security within AD, but a rogue laptop that is not a domain member can now run a penetration test against any IP address on your network if there are no firewalls.

>Are there are documented cases of this type of migration going wrong >due
>to security being overlooked?

Check out this article:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmin.asp

When Microsoft first touted Active Directory they pushed for a Single Forest design with multiple domains for each business unit. These domains were originally portrayed as security barriers within the forest. The above article shows that domains should _not_ be considered security barriers, and the forest is actually the security barrier. This pushes us back to an NT4 style with separate silo's of security. Domains in Active Directory are administrative boundaries, not security boundaries.

(MS will want you to create multiple forests for security reasons and then talk about their new "Federated Forest" prodocts coming out and about how .NET will support kerberos trusts between forests)

After conversations with Microsoft, our organization and Microsoft both agreed that multiple domains within a Forest are possible only if _all_ domain administrators in every domain are completely trusted among each other. The fact (stated in the paper) is that a domain admin in domain A can overcome AD security to affect domain B, or any other domain in the forest for that matter. This is why trusting the domain admins is such a concern in deploying Active Directory.

The other big issue is physical security of the Domain Controllers - an offline modification of the forest schema (this is stored on all DC's) can be uploaded into the distributed AD forest once the DC is back online. This means if you have a remote office DC with no physical security, a hacker on site modifying the schema can then "own" your entire forest.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

For recommendations to make a secure deployment... If you haven't already, use group policies like crazy. Use baseline server policies and then special application policies to slap on top of those baseline policies. (Example: apply baseline policy, then apply IIS policy on IIS servers) Desktops need good regulation of group policies as well. The NSA's documentation of group policies and recommended settings is a good place to start. Not all of it will work in your environment, but it's great info. Auditing is also very important - audit changes in domain admin groups, Domain Controller downtime, etc... Audit everything that is potentially a security concern in AD.

>For example, could a compromised workstation in a remote site affect >the
>workstations or servers in another domain?
For limiting the exposure of a compromised PC to affect other PC's, we also set the group policy setting to only allow our Desktop Admin group and Domain Admin group to connect to the PC's over the network. This way if all PC's have the same admin account since they are all imaged, a user could not crack the password and use that account to "hack" into every PC on your network. This also stops unwanted file sharing between PC's and keeps their work data on the servers so they can be backed up nightly.

I hope this helps,

-Jared