Design Dictates Security

Viruses, worms, spam, and Denial of Service (DoS) attacks are examples of common security threats that Internet users face daily. The reason why the Internet is so vulnerable is that it wasn't initially implemented with security in mind. It was designed to be an open system that encouraged people to communicate and share ideas freely. The creators of the original Internet never could've imagined the vast commercial success the Internet would have one day. As a result, the Internet community has been trying to secure an insecure design ever since.

This example illustrates how the implementation of a technology ultimately dictates how (or if) it can be secured—and Active Directory (AD) is no different. If you design an open delegation model that gives users more access than they really need or if you deploy domain controllers (DCs) to unsecured locations, you're going to have a much harder time securing your overall implementation.

I'm a big believer in the Keep It Simple, Stupid (KISS) philosophy of design. The simpler you can make your AD design, the better off you'll be, especially when it comes to security. A complex design often entails more items to manage and subsequently more items to secure. A general rule I like to apply is fewer the better. With fewer domains, you require fewer DCs. With fewer DCs, you require fewer administrators. With fewer organizational units (OUs), there are fewer places to which to delegate access. You get the picture.