Separate Active Directory forests don’t translate into better security

I’m a frequent critic of repeated security mantras that aren’t always true, such as “Security by obscurity doesn’t work.” In fact, security by obscurity works just fine, it’s usually one of the best bang-for-your-bucks techniques you can implement, and it should be part of anyone’s defense-in-depth plan. If security by obscurity didn’t work, why wouldn’t our military tell its potential foes where all our submarines and missiles are?

Another oft-repeated security mantra that isn’t always true is the notion that keeping computers in separate Active Directory (AD) forests always decreases security risk. I hear this a lot at my day job (I work full-time for Microsoft). Dividing different security domains into separate forests can decrease overall security risk, assuming all other factors are equal — and that’s a big assumption in most environments. In many cases, a better-managed single AD forest can actually improve security.

[ Master your security with InfoWorld’s interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

In Active Directory, the forest is the ultimate security boundary, or so most people say. More accurately, an AD forest is the ultimate LDAP security boundary. There are lots of attacks that don’t really care about forest boundaries at all, such as remote buffer overflow worms, physical attacks, social engineering, denial-of-service attacks, and so on.

The SQL Slammer worm of 2003 didn’t care about forest boundaries. It just tried to buffer overflow every computer at port 1433 and succeeded in infecting nearly every unpatched SQL server on the Internet in 10 minutes. Further, if I want to shut down your network, I can overwhelm any reachable host with network traffic. In those types of instances, even the LDAP boundaries don’t offer much protection.

With that in mind, let’s look at the considerations when deciding on forests. Most consultants consider two main questions: First, will the same management and IT team be in control, and second, are there different security requirements? If the same management and IT (and corporate political) teams will be in charge, it makes sense to have a single forest or, if necessary, fewer forests.

If there are separate security requirements between the two domains, there is a stronger case to set up a minimum of two forests or, at least, Active Directory domains. Sometimes I encourage companies to upgrade the security of the lesser-secured forests in order to meet the stricter-secured forest’s policies; that way, one forest might be used again.

Personally, I look for written requirements, either from the company itself or from regulatory bodies, though most regulations don’t come close to forcing a one-forest-versus-multiple-forest decision. If can’t find any documentation, I go to the human sources and find out why they prefer one option or the other. If they have a strong argument in either direction, I usually ask why the declaration is not clarified in writing. Word-of-mouth works for campfire ghost stories, but not for company security policy.

I always bring at least one additional consideration to the table: Does IT management trust all the domain admins? I mention this because it’s difficult to prevent a rogue admin from accessing other resources and data within any of the domains within the same forest. Even though a domain admin is supposed to have full control of only his or her own domain resources and data, it’s possible (but not always easy) for the admin to escalate his or her privileges. Therefore, if you can’t trust all the domain admins, it begs for a separate forest to contain any possible damage.

In short, if you need high security and protection against rogue or compromised domain admins, create a separate forest. If you need different security policies, use a separate forest. If you need the highest security possible, use a separate forest.

Bear in mind that every additional forest or domain created comes with its own management overhead and risks. That’s why the U.S. government and many companies are trying to minimize the number of Internet connection points to their networks: Managing fewer connection points reduces security risks and costs.

Active Directory has costs as well, the least of which is providing two or more secured domain controllers for each separate domain. Every enterprise computer needs lots of management, including security policy configuration and enforcement, access controls, network management, patch management, antimalware software and updates, IDS, and backup services. If separating the forest means that all the necessary management requirements are done less consistently or inadequately, one can make a strong argument that fewer forests can actually improve security.

Notably, IT can still implement additional defense within the same forest. I’m a strong advocate of server and domain isolation. Instead of relying on Active Directory for logical security separation, why not go down further in the network stack (lower is always more secure), and let routers, VLANs, switches, firewalls, IPSec, NAC/NAP, VPNs, and proxies help maintain security separation?

Most servers don’t need to talk to every other server. Most workstations don’t need to talk to other workstations. And if they don’t need to communicate legitimately, don’t let them do it at all. That way, if an attacker compromises a computer, they can attempt to spread to what the server and domain isolation allows — no more and no less. Implementing server and domain isolation can significantly reduce risk, well beyond just separate Active Directory forests.

Also, if IT administration is worried about compromised domain admin accounts, require two-factor authentication for elevated users and/or dedicated management workstations, which are less likely to be compromised by malware.

Ultimately, the level of appropriate security risk is a question for senior management with the proper guidance from IT, which tries its best to meet that decision.

In closing, don’t believe any security mantra you hear. Do your own investigating and make sure all assumptions are valid. Over the years, I’ve often counseled clients to reconsider adding more Active Directory forests unless the security requirements dictated the need and doing so actually reduced risks.