How does the number of forests relate to security, particularly the Domain Trust vulnerability in AD?
Timashev: A domain used to be considered a security boundary. A domain as a security boundary holds users, computers, and other account information; provides security authentication; and controls access to the resources within the domain. A domain in Windows 2000 Active Directory cannot be considered a security boundary because of the following: Domains have automatic transitive trust relationships within a forest; all domain controllers have a writable copy of a security database; there is a writable copy of a Global Catalog available on domain controllers in all domains in the forest; the “Domain Trust” vulnerability and security identification (SID) history mechanism. A domain in Windows 2000 is no longer a security boundary, and it does not provide enough security isolation. A rogue administrator in one domain can potentially get unauthorized access to resources in all domains in the forest by using the “Domain Trust” vulnerability or manipulating the Global Catalog. So, a single f
Related Questions
- As a Photographer and Artist, I am particularly concerned about the expense and security of printing and sending my high-quality, original work to any company. What can be done about that?
- How does the number of forests relate to security, particularly the Domain Trust vulnerability in AD?
- How Can We Trust National Security to Proprietary Software Vendors?
