Not as Safe as You Think
Applying the single-domain model to one domain in an effort to isolate sensitive information is a risky prospect at best.
September 16, 2001
Domains are administrative boundaries—not firewalls. True, a departmental domain A that doesn't trust the corporate domain B won't let domain B users connect using their domain B accounts. However, a user at a workstation in domain B can still map a network drive to connect to computers in domain A. The individual can simply use credentials that exist in domain A or in a domain A server's local SAM. (Attackers can also use an anonymous logon to attach to a system and enumerate the computer's or domain's user-account names, which provide further targets.)
The first account that such an attacker will try to use is the built-in Administrator account. This account is all-powerful, can't be deleted or disabled, and isn't locked out by default. You can use the Microsoft Windows NT Server Resource Kit's Passprop utility to enable a lockout of the Administrator account from network access after repeated logon failures. (Passprop's Help text claims that you can still log on interactively at a domain controller—DC—console when the Administrator account is locked out, but this claim needs some clarification. You can log on as Administrator at a BDC, but you can't run User Manager because that program uses a network logon to connect to the PDC.) However, enabling lockout for the Administrator account can actually make you more vulnerable during Denial of Service (DoS) attacks. If someone locks out your Administrator account during such an attack, your only method of recovery is to log on as Administrator at the PDC console and start unlocking accounts.
About the Author
You May Also Like