> I have to install a *secure* windows domain inside an
> insecure network.
> This means that my domain will be behind a firewall ofcourse.
>
> Now, I've got two possibilities for the domain configuration:
No, you have one possibility, based on the above.
> Option 1: My domain would actually be a subdomain inside the
> insecure forest.
Nope. Domains are not security boundaries.
> Option 2: Create a totally new forest.
Your only option if you do not trust the forest owners.
>
> So, surely option #2 is more secure, but the management
> pushes to choosing option #1. so.. few questions about option #1:
>
> a. Which ports should be opened by the firewall in order for
> the subdomain to function well but be the most secure? Any references?
I think that's been answered for you, so I'll skip it. :-)
>
> b. Does an admin (a member of the Enterprise Admin group)
> from the root-domain have access to my subdomain?
Yes.
> Can I
> prevent it at all?
No. I could go on and on and on, but in the end, it all comes down to this:
An Administrator, Domain Admin or Enterprise Admin (regardless of which
domain we're talking about with the obvious exception of the Enterprise
Admins group) can take control of the entire forest. Therefore, domains are
not security boundaries *regardless* of how you structure them. Forests are
security boundaries.
>
> c. Do you know any networks that implement option #1 with a
> firewall and think they're quite secure from the other
> domains,
Can't do it. All domains in a forest *must* replicate schema and
configuration partition information, which means you have to open the ports
needed for replication regardless. Conveniently, the configuration partition
is one of the places where a rogue administrator might try to take control
of the forest.
> or is it a totally twisted idea?
None of my clients have done it because I tell them why they can't. :-)
Last, read this whitepaper (it's old, but still applicable):
> I have to install a *secure* windows domain inside an
> insecure network.
> This means that my domain will be behind a firewall ofcourse.
>
> Now, I've got two possibilities for the domain configuration:
No, you have one possibility, based on the above.
> Option 1: My domain would actually be a subdomain inside the
> insecure forest.
Nope. Domains are not security boundaries.
> Option 2: Create a totally new forest.
Your only option if you do not trust the forest owners.
>
> So, surely option #2 is more secure, but the management
> pushes to choosing option #1. so.. few questions about option #1:
>
> a. Which ports should be opened by the firewall in order for
> the subdomain to function well but be the most secure? Any references?
I think that's been answered for you, so I'll skip it. :-)
>
> b. Does an admin (a member of the Enterprise Admin group)
> from the root-domain have access to my subdomain?
Yes.
> Can I
> prevent it at all?
No. I could go on and on and on, but in the end, it all comes down to this:
An Administrator, Domain Admin or Enterprise Admin (regardless of which
domain we're talking about with the obvious exception of the Enterprise
Admins group) can take control of the entire forest. Therefore, domains are
not security boundaries *regardless* of how you structure them. Forests are
security boundaries.
>
> c. Do you know any networks that implement option #1 with a
> firewall and think they're quite secure from the other
> domains,
Can't do it. All domains in a forest *must* replicate schema and
configuration partition information, which means you have to open the ports
needed for replication regardless. Conveniently, the configuration partition
is one of the places where a rogue administrator might try to take control
of the forest.
> or is it a totally twisted idea?
None of my clients have done it because I tell them why they can't. :-)
Last, read this whitepaper (it's old, but still applicable):
http://www.microsoft.com/windows2000/docs/addeladmin.doc
HTH,
Laura
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]