People are saying separating forest should increase security. How ?



Magoo
07-09-2005, 11:50 PM
Imagine I have a staff domain with 3,000 accounts and 15,000 student
accounts. High school students cannot handle the management overhead caused
by the change password requirements (change password every 4 months and they
are in classroom and that disrupts their limited class activities - true).
Elementary school kids definitely cannot handle the password complexity
requirements.

Therefore we are discussing creating a separate forest+domain and make that
a one-way trust to the "staff" domain.

Question is this:
What's the mechanism that would make such forest+domain separation more
secure ?
I mean, imagine I have the "student" domain in place with more relaxed
security policies. Then a malicious user compromises an account in the
"Student" domain, assuming those have more relaxed security policies and a
student population that tends to share password and doesn't care with
security. The important question I have is this, does the fact that there is
no trust to the staff domain going to be really more secure and justify all
the management overhead associated with setting up a student domain ?

The important point is, do you agree that if I let a 'weak' student
account/password in the single forest, single domain as is now and someone
easily breaks that account/password, it would be easier for that the
attacker find out the password for a more secure 'staff' account, despite
such 'staff' user be very dilligent about security ? Or this has no or
minimal correlation ? If the is answer there is no correlation, I think I
will be really better off not building a separate domain. Some suggested
that I just leave my single domain as is and set the passwords of students
to 'never expires'. What do you think :?

Roger Abell
07-09-2005, 11:50 PM
There are couple distinct issues to consider. You have outlined
a scenario and then asked, if worse came to worse, would the
other accounts that had used good password practices really be
that vulnerable.

The more telling scenario runs as follows. There is an exploit
out, for which your machines are not patched that allow elevation
of privilege for a logged in account. Someone has access to some
student accounts due to their ineffective passwords. That someone
uses the unpatched exploit to become System on a machine. They
then leverage this to do a Remote Desktop login to your DC and
then again leverage this exploit. They are now System on a DC and
own the forest, being able to do anything whatsoever they wish.

Now, if you have separate forests, with the weak domain trusting
the faculty/staff domain so that accounts of the fac/staff may be
used in the weak domain, but not the other way around, then this
loss of the weak forest will let that someone discover some things,
like account and group names of the fac/staff domain. However,
it will not allow them any direct access into that forest, unless they
can get a foothold there, like a weakly protected account.
If all were in one forest, then the game would have been over.

Distinct trusting forests form a boundary in that you have the option
to control what accounts from one have any ability to be used in the
other. In a single forest there are a number of accesses that are there
automatically, such as by virtue of the default grants made to the
Authenticated Users group, etc.. Also, in a single forest, the compromise
of a single DC in any domain can mean that the entire forest is next taken
over. Contrast this with the case where there are separate forests and in
this worse case compromise only one forest is lost to someone (assuming
the types of trusts and their use limits the loss).

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Magoo" <nospammagoo@hotmail.com> wrote in message
news:eqBD5fjVFHA.2540@tk2msftngp13.phx.gbl...
> Imagine I have a staff domain with 3,000 accounts and 15,000 student
> accounts. High school students cannot handle the management overhead
caused
> by the change password requirements (change password every 4 months and
they
> are in classroom and that disrupts their limited class activities - true).
> Elementary school kids definitely cannot handle the password complexity
> requirements.
>
> Therefore we are discussing creating a separate forest+domain and make
that
> a one-way trust to the "staff" domain.
>
> Question is this:
> What's the mechanism that would make such forest+domain separation more
> secure ?
> I mean, imagine I have the "student" domain in place with more relaxed
> security policies. Then a malicious user compromises an account in the
> "Student" domain, assuming those have more relaxed security policies and a
> student population that tends to share password and doesn't care with
> security. The important question I have is this, does the fact that there
is
> no trust to the staff domain going to be really more secure and justify
all
> the management overhead associated with setting up a student domain ?
>
> The important point is, do you agree that if I let a 'weak' student
> account/password in the single forest, single domain as is now and someone
> easily breaks that account/password, it would be easier for that the
> attacker find out the password for a more secure 'staff' account, despite
> such 'staff' user be very dilligent about security ? Or this has no or
> minimal correlation ? If the is answer there is no correlation, I think I
> will be really better off not building a separate domain. Some suggested
> that I just leave my single domain as is and set the passwords of students
> to 'never expires'. What do you think :?
>
>
>

Karl Levinson, mvp
07-09-2005, 11:51 PM
"Magoo" <nospammagoo@hotmail.com> wrote in message
news:eqBD5fjVFHA.2540@tk2msftngp13.phx.gbl...
> Imagine I have a staff domain with 3,000 accounts and 15,000 student
> accounts. High school students cannot handle the management overhead
caused
> by the change password requirements (change password every 4 months and
they
> are in classroom and that disrupts their limited class activities - true).
> Elementary school kids definitely cannot handle the password complexity
> requirements.
>
> Therefore we are discussing creating a separate forest+domain and make
that
> a one-way trust to the "staff" domain.
>
> Question is this:
> What's the mechanism that would make such forest+domain separation more
> secure ?
> I mean, imagine I have the "student" domain in place with more relaxed
> security policies. Then a malicious user compromises an account in the
> "Student" domain, assuming those have more relaxed security policies and a
> student population that tends to share password and doesn't care with
> security. The important question I have is this, does the fact that there
is
> no trust to the staff domain going to be really more secure and justify
all
> the management overhead associated with setting up a student domain ?

The mechanism is that 1) the increased password complexity rules makes it
harder to guess the password of the more privileged staff accounts, and 2)
having or hacking a student account gets you absolutely nothing with
relation to the staff domain. You probably aren't worried about student
accounts being hacked, you're worried about protecting staff resources and
accounts from students with legitimate student accounts.

Mostly what you get is the ability to set different password complexity
rules per forest, and that is pretty much only designed to prevent brute
force attacks [such as by sniffing a professor's authentication traffic from
the wire and running l0phtcrack against it... passwords shorter than 6 or 7
characters or that are in lmhash format are cracked very quickly]. You can
try to raise the bar for attackers a little by using switches instead of
hubs [though a hacker that knows how can bypass this], by using Kerberos
and/or IPSec and/or VPN on staff computers, and/or by wiring staff computers
into different switches on a somewhat isolated network from the student
network, so that staff traffic should usually not traverse past student
workstations. A bigger problem might be that students could at times have
full unmonitored physical access to staff computers, and you would want to
take good physical and computer security measures on staff workstations.

What you could also do in this situation is leave the password complexity
low, but increase the mandatory length to at least 9 or so, and encourage
pass phrases instead of passwords. Students can then pick a long password
that they can easily remember, and staff passwords are difficult to brute
force.

Another solution could be two-factor authentication or biometrics for staff.
Fingerprint readers are getting pretty cheap. Other options are smart
cards, although you'd have to look into the price.

How about a single shared low-privileged guest account with an easy password
for all the elementary school students? Do they really need their own
resources?

Building separate forests does increase security, but neither solution is
100% secure. You're just talking about reducing risk somewhat. Whether
that reduction in risk is worth it to you is totally up to you. While a
second forest would add some security, and I'm not sure the overhead would
really be that much, there's also an argument that other countermeasures are
more effective, and that this kind of attack may not be your biggest
security problem anyways compared to issues like physical access to staff
machines..

> will be really better off not building a separate domain. Some suggested
> that I just leave my single domain as is and set the passwords of students
> to 'never expires'. What do you think :?

That's not such a bad idea. Students will probably have to write down their
passwords somewhere, but student accounts should be relatively unprivileged
and it shouldn't matter so much to you if one of them is compromised by
another student, since that other student will probably already have a
legitimate student account. [Such a compromise could upset the student that
owns the account, but then it's just up to that student to protect her
password.] I like the idea of pass phrases better, though.

Magoo
07-09-2005, 11:51 PM
You guys rule. Totally agreed.

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:OdMq7huVFHA.1148@tk2msftngp13.phx.gbl...
>
> "Magoo" <nospammagoo@hotmail.com> wrote in message
> news:eqBD5fjVFHA.2540@tk2msftngp13.phx.gbl...
>> Imagine I have a staff domain with 3,000 accounts and 15,000 student
>> accounts. High school students cannot handle the management overhead
> caused
>> by the change password requirements (change password every 4 months and
> they
>> are in classroom and that disrupts their limited class activities -
>> true).
>> Elementary school kids definitely cannot handle the password complexity
>> requirements.
>>
>> Therefore we are discussing creating a separate forest+domain and make
> that
>> a one-way trust to the "staff" domain.
>>
>> Question is this:
>> What's the mechanism that would make such forest+domain separation more
>> secure ?
>> I mean, imagine I have the "student" domain in place with more relaxed
>> security policies. Then a malicious user compromises an account in the
>> "Student" domain, assuming those have more relaxed security policies and
>> a
>> student population that tends to share password and doesn't care with
>> security. The important question I have is this, does the fact that there
> is
>> no trust to the staff domain going to be really more secure and justify
> all
>> the management overhead associated with setting up a student domain ?
>
> The mechanism is that 1) the increased password complexity rules makes it
> harder to guess the password of the more privileged staff accounts, and 2)
> having or hacking a student account gets you absolutely nothing with
> relation to the staff domain. You probably aren't worried about student
> accounts being hacked, you're worried about protecting staff resources and
> accounts from students with legitimate student accounts.
>
> Mostly what you get is the ability to set different password complexity
> rules per forest, and that is pretty much only designed to prevent brute
> force attacks [such as by sniffing a professor's authentication traffic
> from
> the wire and running l0phtcrack against it... passwords shorter than 6 or
> 7
> characters or that are in lmhash format are cracked very quickly]. You
> can
> try to raise the bar for attackers a little by using switches instead of
> hubs [though a hacker that knows how can bypass this], by using Kerberos
> and/or IPSec and/or VPN on staff computers, and/or by wiring staff
> computers
> into different switches on a somewhat isolated network from the student
> network, so that staff traffic should usually not traverse past student
> workstations. A bigger problem might be that students could at times have
> full unmonitored physical access to staff computers, and you would want to
> take good physical and computer security measures on staff workstations.
>
> What you could also do in this situation is leave the password complexity
> low, but increase the mandatory length to at least 9 or so, and encourage
> pass phrases instead of passwords. Students can then pick a long password
> that they can easily remember, and staff passwords are difficult to brute
> force.
>
> Another solution could be two-factor authentication or biometrics for
> staff.
> Fingerprint readers are getting pretty cheap. Other options are smart
> cards, although you'd have to look into the price.
>
> How about a single shared low-privileged guest account with an easy
> password
> for all the elementary school students? Do they really need their own
> resources?
>
> Building separate forests does increase security, but neither solution is
> 100% secure. You're just talking about reducing risk somewhat. Whether
> that reduction in risk is worth it to you is totally up to you. While a
> second forest would add some security, and I'm not sure the overhead would
> really be that much, there's also an argument that other countermeasures
> are
> more effective, and that this kind of attack may not be your biggest
> security problem anyways compared to issues like physical access to staff
> machines..
>
>> will be really better off not building a separate domain. Some suggested
>> that I just leave my single domain as is and set the passwords of
>> students
>> to 'never expires'. What do you think :?
>
> That's not such a bad idea. Students will probably have to write down
> their
> passwords somewhere, but student accounts should be relatively
> unprivileged
> and it shouldn't matter so much to you if one of them is compromised by
> another student, since that other student will probably already have a
> legitimate student account. [Such a compromise could upset the student
> that
> owns the account, but then it's just up to that student to protect her
> password.] I like the idea of pass phrases better, though.
>
>


People are saying separating forest should increase security. How ?