Active Directory and the Common Criteria

Last week I wrote about Microsoft's white paper, Design Considerations for Delegation of Administration in Active Directory," which discusses design considerations to maximize security for organizations that might need multiple domains. The paper, in part, suggests that such organizations should consider using multiple forests to minimize security risks.

Donald Bauer, MCSE and Certified Citrix Administrator (CCA) at Integery International, wrote to inform me that Lucent Technologies has a white paper, Windows 2000 Active Directory Design, Restricting the Enterprise Administrators Group," which is available online in PDF format. Anyone wondering about the pros and cons of multiple forest directory models should read this paper.

The white paper outlines the advantages of grouping domains into a forest and discusses three Active Directory (AD) features that make this choice reasonable. The paper says, "There are many advantages to having domains grouped into a forest. First and foremost, the Windows 2000 AD automatically manages interdomain trusts within a forest. A second major advantage is that tools exist from both Microsoft and third parties to permit the movement of certain types of objects, such as user or computer accounts, from one domain to another in the same forest. A third advantage is a unified administrative model: a user can be designated an Enterprise Administrator (EA) and granted administrative rights to all domains in the forest."

Great points. The paper also discusses the controversy about the third mentioned advantage—a unified administrative model. The paper states, "This third feature has caused some controversy; specifically, some organizations want to have a fully segregated domain design such that an administrator in one domain cannot interfere with another domain. This has led some organizations to consider creating separate forests. Separate forests, while they do solve the problem of overlapping administration introduce other complications into the mix; trusts between domains from different forests must be manually managed. If the organization employs Exchange 2000, a common global address book is not possible since the address book is defined on a forest basis. Finally, the ability to move user and computer objects between domains is lost since no tool currently exists to move an object from one forest to another."

Those are some additional interesting tidbits of information, don't you think? If you're using AD, be sure to read the eight-page white paper—it's worth your time to do so.

On January 17, Microsoft released another white paper about AD called "The Common Criteria: Providing a Reliable Security Standard." The paper is available on the company's Web site. The paper discuses how to use AD to comply with the Common Criteria (CC).

According to the US government's CC Web site, "The governments of North American and European nations agreed in the spring of 1993 to develop a 'Common Information Technology Security Criteria.' Participants include France, Germany, the Netherlands, the UK, Canada, and the United States (National Institute of Standards and Technology—NIST—and National Security Administration—NSA). The Common Criteria Project is an international body of organizations charged with aligning the existing security criteria into a standard for certifying the security of products and systems.

The CC Project consists of three parts. Part 1 defines general concepts and principles of IT security evaluation and presents a general model of evaluation. Part 2 establishes a set of standard components to express the functional security requirements for targets of security evaluation. Part 3 establishes a set of assurance components to express the assurance requirements for targets of evaluation. Be sure to visit the CC Web site and read about this initiative in detail. You can also read a brief explanation of the project at the SANS Institute Web site.