Specifying Security and Administrative Boundaries

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2

The Active Directory forest represents the outermost boundary within which users, computers, groups, and other objects exist; that is, the forest is the security boundary for Active Directory. Active Directory domains, unlike Windows NT domains, are always part of a forest, and they are not themselves the ultimate security boundary. For Windows 2000 and later networks, though, domains are the boundaries for administration and for certain security policies, such as password complexity and password reuse rules, which cannot be inherited from one domain to another. Each Active Directory domain is authoritative for the identity and credentials of the users, computers, and groups that reside in that domain. However, service administrators have abilities that cross domain boundaries. For this reason, the forest is the ultimate security boundary, not the domain.

Important

Previously published Active Directory documentation states that a domain is a security boundary, but this documentation does not provide specific details about the level of autonomy and isolation that is possible among domains in a forest. Although a domain is, in fact, a security boundary with regard to the management of security policies for Active Directory, it does not provide complete isolation in the face of possible attacks by service administrators.

Delegating Administration

Organizations typically delegate the administration of all or part of the Active Directory service or the data that is stored in their domains. Table 2 lists the reasons for delegating administration.

Table 2 Reasons to Delegate Administration

Reasons Explanation

Organizational

One part of an organization might want to share an infrastructure to reduce costs, but it requires operational independence from the rest of the organization.

Operational

One part of an organization or a single application might place unique constraints on the directory service configuration, availability, or security. Examples include:

Military organizations

Hosting scenarios

Extranet-based directory services

Legal

Some organizations have legal requirements that compel them to operate in a specific manner, such as restricting information access. Examples include:

Financial institutions

Defense contractors

Government organizations

For these reasons, an organization might need to delegate control over service management, data management, or both. The goal of delegation is to achieve either autonomy or isolation:

  • Autonomy is the ability of administrators to manage independently part or all of the Active Directory service or the data in the directory or on member computers.

  • Isolation is the ability of administrators to prevent other administrators from interfering in or accessing part or all of the Active Directory service or the data in the directory or on member computers.

An organization’s requirements for service autonomy, data autonomy, service isolation, and data isolation determine the Active Directory infrastructure that is best suited to its needs. The first step is to define precisely the needs of your organization.

Active Directory boundaries can assist an organization in achieving the level of autonomy and isolation that its business units require. Table 3 provides a comparison of the characteristics of administrative autonomy and isolation.

Table 3 Comparison of the Characteristics of Autonomy and Isolation in Administration

Administrative Role Autonomy means to… Isolation means to…

Service administrator

Manage independently all or part of service administration (service autonomy).

Prevent other service administrators from controlling or interfering with service administration (service isolation).

Data administrator

Manage independently all or part of the data that is stored in Active Directory or on member computers (data autonomy).

Prevent other data administrators from controlling or viewing data in Active Directory or on member computers (data isolation).

Autonomy is less constrained than isolation. Administrators who require only autonomy accept the fact that other administrators of equal or higher privilege in the system have equivalent or overriding control in the forest. Because autonomy is less constrained than isolation, it is generally less costly and more efficient to delegate administrative autonomy.

Autonomy can be achieved by delegating service or data administration. Isolation requires that a business unit deploy a separate forest to contain its administrators, users, and resources. Multiple forests in an organization require external trusts to support collaboration. These trusts are discussed further in Establishing Secure Collaboration with Other Forests later in this guide.

For a complete discussion of the effects of autonomy and isolation and the service and data administrator roles, see “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see “Designing the Active Directory Logical Structure” on the Web at https://go.microsoft.com/fwlink/?LinkId=4723).

Trusting Service Administrators

Before choosing an Active Directory delegation model, consider the following facts about Active Directory administrative roles:

  • Forest owners maintain the right to control domain-level services and to access data that is stored in any domain in the forest.

  • Domain owners maintain the right to access data that is stored in the domain or on its member computers.

  • Domain owners, although operating autonomously from forest owners and other domain owners, cannot prevent a malicious domain owner from controlling their services and accessing their data.

The need for a high degree of collaboration and trust among the authorities that are responsible for the management of domains in a forest requires that all administrators who manage domains be highly trusted. Therefore, Active Directory domains in a forest should never be deployed with the objective of isolating business units that do not trust each other.

To summarize the facts concerning directory structures and directory structure owners, if an organization joins a forest or domain infrastructure, the organization administrators must agree to trust all service administrators in the forest and in all domains. Trusting service administrators means to:

  • Believe that service administrators look out for the organization’s best interest. Organizations should not elect to join a forest or domain if the organization fears that the owner of the forest or domain might behave maliciously.

  • Believe that service administrators follow best practices for service administrators and for restriction of physical access to domain controllers.

  • Understand and accept the risks to the organization that are associated with rogue administrators and coerced administrators.

For more information about service and data administration, see Chapter 5: Establishing Secure Administrative Practices.