Professional Documents
Culture Documents
Active Directory
Active Directory
Books
Contents
Chapter 4 Inside Windows Server 2003 Forests and DNS . . . . . . . . . . . . . 63
Securing Forest Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Cross-Forest Trust Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SID Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS Health Checks . . . . . . . . . . . . . . Windows 2003 DNSLINT . . . . . . . . Conditional Forwarding . . . . . . . . . . . Setting Up Conditional Forwarding . Stub Zones . . . . . . . . . . . . . . . . . . . . Creating Stub Zones . . . . . . . . . . . Conditional Forwarding vs. Stub-Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 64 69 70 71 72 75 76 79 80
63
Chapter 4:
Figure 4.1
An organizations cross-forest trusts
Cross Forest Trust #1 Cross Forest Trust #2
corp.com
bigu.edu
Forest corp.com
europe.corp.com
As I noted in Chapter 3, tying the forests together doesnt magically join the Microsoft Exchange 2000 Server or Exchange Server 2003 account lists. Rather, the cross-forest trust accomplishes one thing: It gives forest trust member domains easy access to each others domain resources. However, how secure is a cross-forest trust?
Brought to you by NetIQ and Windows & .NET Magazine eBooks
64
Authentication Firewall
To protect your resources from attacks that users in other trusted domains might launch, you can set up selective authentication through what Microsoft calls an authentication firewall. Setting up an authentication firewall lets you block certain SIDs from authenticating across the cross-forest trust. The users whose SIDs you block wont be able to authenticate on your network resources. In the example in Figure 4.1, you could block all Bigu.edu student SIDs from traversing the cross-forest trust, but still let the Bigu.edu faculty member SIDs do so. This approach would prevent students from taking a whack at Corp.com resources, but let the faculty members authenticate to Corp.com servers and access Corp.com resources. Selective authentication isnt turned on by default. That is, if you accept the defaults when you set up a cross-forest trust, youll need to enable selective authentication to establish the authentication firewall. When you use the New Trust Wizard to create your cross-forest trust, you choose the scope of authentication through the Outgoing Trust Authentication Level Local Forest dialog box options, which Figure 4.2 shows.
65
Figure 4.2
Outgoing Trust Authentication Level Local Forest option
The terminology in the dialog box that Figure 4.2 shows is a bit confusing. The dialog box text doesnt state that your choice here indicates whether youll be deploying an authentication firewall to block certain SIDs from other domains from getting inside your forest. If you select Forest-wide authentication, the default, you let all users in the cross-forest trust traverse all the forests. If you select Selective authentication, thereby creating an authentication firewall, you can then manually add access for specific users. If you accept the default (Forest-wide authentication) when you use the New Trust Wizard, which Figure 4.2 shows, a user who logs on to a domain in another forest that trusts your forest through a cross-forest trust can see the resources you have. Figure 4.3 shows that by using the Net View command, that user can see the shares on a specific machine.
Figure 4.3
The Forest-wide authentication option
66
If, after your forest trust is built, you decide to further lock down resources and enable an authentication firewall, you must then use Active Directory Domains and Trusts to change the mode. After you open Active Directory Domains and Trusts, right-click the domain. Select the Trusts tab, the name of the trust, and Properties. Then click the Authentication tab and select Selective authentication as Figure 4.4 shows.
Figure 4.4
Choosing Selective authentication through Active Directory Domains and Trusts
As soon as you choose selective authentication, you can see the immediate consequences for users who try to gain access through the trust, which Figure 4.5 shows. Access is denied.
Figure 4.5
User access after you choose the Selective authentication option
67
After your authentication firewall is in place, no one in domains outside your forest (i.e., in foreign domains and forests) can get access to any resources through the trust. To then open up the authentication firewall, you need to selectively poke holes in its security. That way, you can dictate precisely wholl be given access to the resources in your forest. You set up selective access through the Active Directory Users and Computers console. First, you must enable Advanced Features, which Figure 4.6 shows.
Figure 4.6
Advanced Features in the Active Directory Users and Computers console
Tip
Turn on the Advanced Features in Active Directory Users and Computers to manipulate who can pass through the authentication firewall.
After you enable Advanced Features, you can specify security for specific objects. Youll set the filtering directly upon the computer resource to which a foreign user needs access. In Figure 4.7, you can see that Ive enabled the Administrator account from a foreign domain DOMAINC to access resources on server VMSERVER2.
68
Figure 4.7
Selecting the cross-forest trust users who can access this server
After you assign the Allowed to Authenticate right to a selected user, that user can see the resources to which access was denied previously. As Figure 4.8 shows, the user can see resources across the forest trust.
69
Figure 4.8
A server available to specific users through the authentication firewall
SID Filtering
Another technique to prevent neer-do-wells from accessing your resources is SID filtering. SID filtering can help prevent potential attacks. Imagine this scenario: A domain administrator in another domain that your domain trusts wants to attack you. The attacker might be a domain administrator within the same forest. Although that possibility sounds frightening and might be unlikely, its theoretically possible. If you wonder how such an attack might occur, recall that Win2Ks Native Mode domains and Windows 2003 Functional Level domains support the SID history feature. The idea behind SID history is that a user account can be populated with more than one SID the SID of the user account plus other SIDs. The user account is usually populated with additional SIDs when someone migrates accounts with the SID history feature turned on. SID history is often useful for example, when you migrate user accounts from many domains and consolidate them into a few domains. SID history lets a user present an alternate set of credentials to gain access to network resources. Users might need to present their old credentials to access resources (e.g., Exchange or Microsoft SQL Server) in their former domains. An unscrupulous domain administrator could take an account in his or her domain and use the account to attack your domain. The administrator would accomplish the attack by hijacking the SIDs from the trusting domain (the NT domain) and putting them in the SID history attribute of his or her user object. The administrator then becomes the user with the hijacked SID thereby impersonating (i.e., spoofing) a user in your domain. If the administrator spoofs the account of a domain administrator in your domain, he or she could do a lot of damage.
70
Win2K Service Pack 2 (SP2) introduced SID filtering to protect against this potential attack. Enabling SID filtering wont stop an administrator bent on being destructive from trying this attack; he or she can still hijack the SID. But your domain will ignore any SIDHistory attributes, which renders such an attack ineffective. Windows 2003 has the same functionality enabled by default. To disable or re-enable SID filtering in Windows 2003, you use the Netdom command. For more information, read the Microsoft Knowledge Base article Forged SID Could Result in Elevated Privileges in Windows 2000, available at the following URL: http://support.microsoft.com/default.aspx?kbid=289243
n Note
SID filtering is sometimes complex. To learn more about it, in particular how to use SID filtering to prevent elevation-of-privilege attacks, go to http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
Tip
In addition to selective authentication and SID filtering, you can place another level of security upon a forest trust by using top-level name (TLN) restrictions. Windows 2003 uses domain name suffix routing to provide name resolution between forests connected by trust relationships. TLN restrictions let you enable, disable, or exclude suffixes to control cross-forest routing. For in-depth information about TLN restrictions, read the article Windows 2003 Forest Trusts at http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=38436.
71
Figure 4.9
A domains four automatically generated subzones
Verifying that all four automatically generated subzones ( _msdcs, _sites, _tcp, and _udp) are present ensures that your domain has the records necessary to locate DCs, which clients must be able to do.
Figure 4.10
Run DNSLint from the command line with the /ad switch
72
When you run DNSLint with the /ad switch, you instruct DNSLint to produce an HTML report about the state of DNS affairs. This file will reveal any trouble spots in your DNS. Figure 4.11 shows a DNSLint report with a clean bill of health (the report would list any errors that DNSLint found).
Figure 4.11
DNSLint report
Conditional Forwarding
Before I discuss the new Windows 2003 conditional forwarding feature, let me briefly review standard forwarding. You enable Win2Ks standard forwarding on a server-by-server basis in the DNS applet. You simply right-click the computer name, select Properties, then select the Forwarders tab, as Figure 4.12 shows.
73
Figure 4.12
Win2Ks Forwarders tab
n Note
Other non-Microsoft implementations of DNS, such as Internet Software Consortiums (ISCs) BIND 9.0, support conditional forwarding.
The forwarders address lets one DNS server ask other (possibly nonrelated) servers for the answer to a DNS question. For example, lets imagine that a client in a domain wants to discover Microsoft.coms address to get to its Web servers. A local AD domain (e.g., Corp.com) probably wouldnt know the answer. However, by leveraging the power of forwarders, this server can ask other servers that might know the answer and retrieve the answer for the client. The standard forwarding approach works well for a limited set of circumstances. However, standard forwarding doesnt address some situations. For example, imagine the company structure that the diagram in Figure 4.13 represents: two separate domains that have little to do with each other.
74
Figure 4.13
An example companys DNS configuration
CORPNS1
RESEARCHDNS1
CORPSQL1
RESEARCHFILE1
corp.com
research.internal.com
However, lets suppose that from time to time, users in the separate domains must share resources. For example, the users in Corp.com occasionally need to connect to a computer named Researchfile1.research.internal.com. And the users at Research.internal.com occasionally need to connect to CorpSQL1.corp.com. The diagram in Figure 4.13 indicates that the DNS servers of Corp.com and Research.internal.com cant know about each other. If a client in Corp.com asked about locating the Research.internal.com computer in Research.internal.com, resolving that name wouldnt be easy. Figure 4.14 shows what happens when standard forwarding is set up.
Figure 4.14
DNS communications in the example company
Client says I need something over at reasearch.internal.com Internet Forward Forward
CORPNS1
RESEARCHDNS1
RESEARCHFILE1
corp.com
research.internal.com
75
With a standard forwarder, the Corp.com DNS server (CORPDNS1) probably wont get any response other than I cant find it from the servers to which it forwards. The reason is that the servers forward to a common point (the ISP or the Internet). In such a scenario, the two DNS servers cant see each other. Under Win2K, you could fix this problem but in a sloppy way. That is, you could have the Corp.com DNS server house a secondary-zone copy of Research.internal.com, and the Research.internal.com DNS server house a secondary-zone copy of Corp.com. However, this solution is messy because every time a new record is entered into DNS, a copy of that record must be sent to the other DNSs secondary-zone copy. Depending on how you have the zones configured, the updating can take extra administrative effort and more bandwidth. If you could tell the Corp.com DNS server where to look for Research.internal.com resources, you could solve this problem. Windows 2003s conditional forwarding lets you do exactly that, as Figure 4.15 shows.
Figure 4.15
DNS communications with conditional forwarding
CORPDNS1 Server says Check over here. Client says I need something over at reasearch.internal.com Forward
CORPNS1
Internet Forward
RESEARCHDNS1
corp.com
research.internal.com
Conditional forwarding eliminates the need to house unnecessary secondary-zone DNS files in servers that really shouldnt have them. Conditional forwarders let you keep copies of only the DNS zone files you want without any extras.
76
Figure 4.16
Windows 2003s DNS Forwarders tab
To set up conditional forwarding for a DNS domain, select the domain name, click New, and type the name of the domain and the IP address. Figure 4.16shows that this server will forward all requests asking about resources in the Research.internal.com domain to 192.168.2.11.
Stub Zones
Stub zones are another feature new to Windows 2003 DNS. Like conditional forwarding, stub zones solve a problem. (Also like conditional forwarding, stub zones arent new to other non-Microsoft DNS implementations, such as BIND 9.0.) Figure 4.17 presents a DNS configuration that shows the need for stub zones.
77
Figure 4.17
A second example companys DNS configuration
Internet
Forward
For wa rd
Forward
CORPNS1
INTERNALROOTDNS
RESEARCHDNS1
CORPSQL1
RESEARCHFILE1
corp.com
research.internal.com
As Figure 4.17 shows, you have two unrelated domains asking a central Root DNS for information. Suppose a client request comes in from Corp.com asking about resources in Research.internal.com. You can read the conversation between the client and the DNS servers in Figure 4.18s internal captions.
78
Figure 4.18
A successful lookup with manual delegations
Internet
INTERNALROOTDNS Server says I know where research.internal.com is let me point you toward a research.interal.com server that knows the answer and is authoritative for the zone.
For wa rd
RESEARCHDNS1
corp.com
research.internal.com
In this scenario, ClientA asks CorpDNS1.corp.com for the answer, which forwards to the InternalrootDNS server. The InternalrootDNS server then looks up in its table the list of servers that are authoritative for the Research.internal.com domain (i.e., servers that respond to Start of Authority SOA requests). However, what happens if Research.internal.com gets three more DNS servers each capable of responding to the SOA request? Such a scenario could evolve if Research.internal.com introduced three more DCs that run DNS in AD integrated mode. At this point, the InternalrootDNS server would know about the original ResearchDNS1 server only and not about the three newly introduced DNS servers. For the InternalrootDNS server to know about the new DNS servers in Research.internal.com, someone would have to manually update the InternalrootDNS server. That design isnt as responsive to change as you might need it to be. Stub zones introduce a new technique to help address this situation. Stub zones learn about new DNS servers introduced into other domains. Figure 4.19 shows the different communication that occurs if you use stub zones after the new DNS servers are introduced in Research.internal.com.
79
Figure 4.19
Stub zones and DNS changes
For wa rd
CORPDNS1 Server says Let me check my stub-zone for research.internal.com a definitive list of research.internal.com servers which are SOA for the zone.
Internet
Forward
Forward your request to a DNS server that is SOA for the zone.
RESEARCHDNS1 RESEARCHDNS2
corp.com
research.internal.com
Figure 4.20
Creating new stub zones
80
At this point, you can choose how widely you want to replicate the stub-zone information. You specify the zone for which you want to create a stub zone. You should then have a functioning stub zone.
Tip
If your stub zone doesnt activate right away, right-click Reload from Master to jump-start the stub zone.