Recently I had the pleasure of being involved with a fantastic partner and client during the early phases of an Active Directory migration in Spain. The particular environment that was involved was very complex – the source environment had dozens of highly segregated domains and we were responsible for migrating approximately 10 of these domains to a new forest.
As we worked through the complexities of configuring cross-forest synchronization for this migration, I thought to myself: when does complex security stop being a benefit, and start becoming a liability? While that was not my responsibility to evaluate, it did prompt a discussion surrounding Active Directory security methodology.
Active Directory can be a very powerful and key component in the security of an enterprise network. Microsoft’s architecture model allows for a wide array of potential configurations. One can use the configuration options to create segregation between divisions for purposes such as ethical fire walling or perhaps meeting regulatory requirements.
Proper configurations allow for tightly controlled administration by departments or divisions. For example, a company could choose to create multiple Active Directory domains to ensure that administrators in the investment division of a large financial institution do not have access to the banking and loan division of the institution. Such restrictions are required by law in some countries, while they are implemented for ethical reasons in others.
The problem with systems architecture - including Active Directory architecture – is the fact that it is very easy to get yourself in trouble. For example, let’s imagine a large corporation with multiple, varied divisions. Some divisions have regulatory or ethical commitments that require segregation. Yet many other divisions do not have any restrictions at all.
Our large corporation begins with the proper intent, and segregates the necessary divisions as required by company charter or law. As time goes on, however, more and more divisions of the company are segregated into separate Active Directory domains. Ultimately, the company is operating in an environment where divisions are fully segregated, when there is no requirement to do so.
In my experience, such segregation ultimately evolves into varying administration practices. Divisional administrators make decisions on how the systems should operate, outside of the direct purview of corporate governance. When this occurs, there is a high probability for a variance in security policies.
A variance in security policy may seem like a minor issue, but consider this question: would a hacker enter a company’s network through the highly secured finance division, or would this hacker come in the back door, for example a manufacturing division with weaker security requirements? And once a hacker has access to a network, protecting any domain is challenging task.
When designing your Active Directory architecture it is prudent to implement segregation when needed. Segregation can create security. But you should also be cognizant of the fact that unnecessary segregation also creates risk. Don’t lose visibility into domains as the result of segregation. Environments that balance the two approaches and implement the right balance will ultimately be the most secure.
Gary Steere is a Microsoft Certified Master on Exchange Server and a Microsoft MVP for Exchange Server. Gary works at Binary Tree as a Principal Solution Architect where his primary responsibility is guiding the next generation of Binary Tree’s migration solutions.