Child Domain Security

Mark Minasi's Windows 2003 book states that one of the reason to create
seperate Domain instead of OU is security.

DC at an unsecure branch office for example. According to Mark's book if
the DC at an unsecure branch get's compromised, since it's a seperate domain,
only that domain will be compromised.

I'm planning on doing the same thing with my network. We have a Company.dom
domain and I'm planning on creating child domain for each branches ex)
west.company.dom, east.company.dom etc.

Is creating seperate domain for security reason that I stated above a good
practice? Does parent AD really gets protected when child domain gets
compromised?
Does child domain DC contains a copy of parent domains AD?
Does what kind of trust relationship that child domain have with parent
domain matters in the case?

Miha
Fri Feb 04 14:28:01 CST 2005

Hi,

Domain is not a security boundary. Forest is.

There are known attacks against the forest if one is able to gain physical
access to domain controller (this attack would require a reboot of the
server). So among other things physical security of server is very
important.
Attack that I have in mind is called SID spoofing where child domain
administrator assigns himself a SID of a forest root domain and gains access
to root domain (or whole forest)...

In the end you will still have to have some trust in your administrators.

Note: naming your domain company.dom is not recommended way (in general).
Best practice would be to use a name that can be registered. To avoid the
problems with external domain names, you can then delegate a sub-zone (e.g.
ad.company.com or lan.company.com or dom.company.com) for internal use.

--
Mike
Microsoft MVP - Windows Security

"Woody" <Woody@discussions.microsoft.com> wrote in message
news:D506524E-4446-471F-99F0-D9E0AF3E0495@microsoft.com...
> Mark Minasi's Windows 2003 book states that one of the reason to create
> seperate Domain instead of OU is security.
>
> DC at an unsecure branch office for example. According to Mark's book if
> the DC at an unsecure branch get's compromised, since it's a seperate
> domain,
> only that domain will be compromised.
>
> I'm planning on doing the same thing with my network. We have a
> Company.dom
> domain and I'm planning on creating child domain for each branches ex)
> west.company.dom, east.company.dom etc.
>
> Is creating seperate domain for security reason that I stated above a good
> practice? Does parent AD really gets protected when child domain gets
> compromised?
> Does child domain DC contains a copy of parent domains AD?
> Does what kind of trust relationship that child domain have with parent
> domain matters in the case?
>
>

Roger
Sat Feb 05 11:58:43 CST 2005

The book is wrong, at least if it states what you say as you say.

The use of a child domain will place a hurdle in the way, and
for some causual penetrations/compromises of the child that
may be sufficient either to prevent impact on other parts of the
forest, or to give you sufficient time to notice and react.

However, for a more informed and/or determined penetration
the child domain will only present a minor hurdle and will not
significantly slow the takeover of the forest from happening.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Woody" <Woody@discussions.microsoft.com> wrote in message
news:D506524E-4446-471F-99F0-D9E0AF3E0495@microsoft.com...
> Mark Minasi's Windows 2003 book states that one of the reason to create
> seperate Domain instead of OU is security.
>
> DC at an unsecure branch office for example. According to Mark's book if
> the DC at an unsecure branch get's compromised, since it's a seperate
domain,
> only that domain will be compromised.
>
> I'm planning on doing the same thing with my network. We have a
Company.dom
> domain and I'm planning on creating child domain for each branches ex)
> west.company.dom, east.company.dom etc.
>
> Is creating seperate domain for security reason that I stated above a good
> practice? Does parent AD really gets protected when child domain gets
> compromised?
> Does child domain DC contains a copy of parent domains AD?
> Does what kind of trust relationship that child domain have with parent
> domain matters in the case?
>
>

Roger
Sat Feb 05 12:10:32 CST 2005

PS
At what appears to be your stage in the process, there is not better
resource in the world than www.microsoft.com/ad for planning
information. I doubt that what is written by many/any others is
aware of the alternatives presented by such as the use of MIIS in
a multiforest design, for example. Much of the W2k3 era papers
and planning guides and resource kit documentation is rather
recent and was specifically scrubbed to remove old myths like
the one you have just brought up.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Woody" <Woody@discussions.microsoft.com> wrote in message
news:D506524E-4446-471F-99F0-D9E0AF3E0495@microsoft.com...
> Mark Minasi's Windows 2003 book states that one of the reason to create
> seperate Domain instead of OU is security.
>
> DC at an unsecure branch office for example. According to Mark's book if
> the DC at an unsecure branch get's compromised, since it's a seperate
domain,
> only that domain will be compromised.
>
> I'm planning on doing the same thing with my network. We have a
Company.dom
> domain and I'm planning on creating child domain for each branches ex)
> west.company.dom, east.company.dom etc.
>
> Is creating seperate domain for security reason that I stated above a good
> practice? Does parent AD really gets protected when child domain gets
> compromised?
> Does child domain DC contains a copy of parent domains AD?
> Does what kind of trust relationship that child domain have with parent
> domain matters in the case?
>
>