Separate Active Directory forests don't translate into better security

Contrary to popular opinion, maintaining a separate AD forest doesn't always improve security

I'm a frequent critic of repeated security mantras that aren't always true, such as "Security by obscurity doesn't work." In fact, security by obscurity works just fine, it's usually one of the best bang-for-your-bucks techniques you can implement, and it should be part of anyone's defense-in-depth plan. If security by obscurity didn't work, why wouldn't our military tell its potential foes where all our submarines and missiles are?

Another oft-repeated security mantra that isn't always true is the notion that keeping computers in separate Active Directory (AD) forests always decreases security risk. I hear this a lot at my day job (I work full-time for Microsoft). Dividing different security domains into separate forests can decrease overall security risk, assuming all other factors are equal -- and that's a big assumption in most environments. In many cases, a better-managed single AD forest can actually improve security.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

In Active Directory, the forest is the ultimate security boundary, or so most people say. More accurately, an AD forest is the ultimate LDAP security boundary. There are lots of attacks that don't really care about forest boundaries at all, such as remote buffer overflow worms, physical attacks, social engineering, denial-of-service attacks, and so on.

Security iGuide

The SQL Slammer worm of 2003 didn't care about forest boundaries. It just tried to buffer overflow every computer at port 1433 and succeeded in infecting nearly every unpatched SQL server on the Internet in 10 minutes. Further, if I want to shut down your network, I can overwhelm any reachable host with network traffic. In those types of instances, even the LDAP boundaries don't offer much protection.

With that in mind, let's look at the considerations when deciding on forests. Most consultants consider two main questions: First, will the same management and IT team be in control, and second, are there different security requirements? If the same management and IT (and corporate political) teams will be in charge, it makes sense to have a single forest or, if necessary, fewer forests.

If there are separate security requirements between the two domains, there is a stronger case to set up a minimum of two forests or, at least, Active Directory domains. Sometimes I encourage companies to upgrade the security of the lesser-secured forests in order to meet the stricter-secured forest's policies; that way, one forest might be used again.

Personally, I look for written requirements, either from the company itself or from regulatory bodies, though most regulations don't come close to forcing a one-forest-versus-multiple-forest decision. If can't find any documentation, I go to the human sources and find out why they prefer one option or the other. If they have a strong argument in either direction, I usually ask why the declaration is not clarified in writing. Word-of-mouth works for campfire ghost stories, but not for company security policy.

1 2 3 Page 1
Page 1 of 3
FREE Download: Get the Spring 2019 digital issue of CSO magazine today!