Autonomy and Isolation in Active Directory

Autonomy and Isolation in Active Directory

In Microsoft Windows NT, members of the Domain Admins group have complete control over all objects in their own domain but no inherent control over any objects in a trusting domain. Similarly, changes made to one domain do not affect trusting or trusted domains. Furthermore, within the domain, the primary domain controller (PDC) owns the only writeable copy of the Security Accounts Manager (SAM). For these reasons, domains are considered discrete security boundaries in Windows NT.

Unlike Windows NT, Active Directory domains are not security boundaries because they are not fully autonomous and isolated from each other. Understanding how this affects an Active Directory forest is a key stepping-stone to designing and deploying a secure Active Directory. When discussing autonomy and isolation, we need to separate the rights and permissions of two types of administrative capabilities: Active Directory service administrators and Active Directory data administrators.

Active Directory service administrators are responsible for the configuration and management of the directory service itself. This includes tasks such as maintaining domain controller servers and managing directorywide configuration settings. Active Directory service administrators are also generally data administrators because of the rights and permissions required to allow them to be Active Directory service administrators.

Active Directory data administrators are responsible for managing data stored in Active Directory objects or on computers joined to Active Directory, but they have no authority over the configuration or management of the directory service itself. Active Directory data administrator roles include the following functions:

  • The management of a subset of objects in Active Directory, such as user accounts in a specific OU

  • The management of data that is stored on computers joined to the domain

When designing Active Directory, you must consider your organization s security requirements for autonomy and isolation of authority in relation to Active Directory services and Active Directory data management. Your security requirements will have a significant effect on how you design Active Directory to facilitate delegation of authority and administrative responsibility.

Autonomy of authority means that Active Directory services and data administrators can independently manage all or part of the resources over which they have authority. Isolation of authority means that accounts and people not authorized for Active Directory services and Active Directory data management are prevented from controlling or interfering with service management (services management isolation), or from controlling or viewing a subset of data in the directory or on member computers joined to the directory (data management isolation).



Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net