v

Books
Contents
Chapter 4 Inside Windows Server 2003 Forests and DNS . . . . . . . . . . . . . 63
Securing Forest Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Cross-Forest Trust Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SID Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS Health Checks . . . . . . . . . . . . . . Windows 2003 DNSLINT . . . . . . . . Conditional Forwarding . . . . . . . . . . . Setting Up Conditional Forwarding . Stub Zones . . . . . . . . . . . . . . . . . . . . Creating Stub Zones . . . . . . . . . . . Conditional Forwarding vs. Stub-Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 64 69 70 71 72 75 76 79 80

Windows 2003 DNS Additions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Next: Windows 2003 Security Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

you can see that I’m tying together three separate Windows 2003 forests: the Corp. tying the forests together doesn’t magically join the Microsoft Exchange 2000 Server or Exchange Server 2003 account lists.edu europe. However. the Sales.63 Chapter 4: Inside Windows Server 2003 Forests and DNS In Chapter 3. I continue to delve into cross-forest trusts. I discussed the management aspects of Windows Server 2003 (Windows 2003).edu science.bigu.corp.jeremyco.bigu. maintains old NetBIOS name of SALES bigu.com Forest sales.edu forest. the cross-forest trust accomplishes one thing: It gives forest trust member domains easy access to each other’s domain resources.com forest. you saw that a cross-forest trust might be required if you had already upgraded various Windows NT domains or Windows 2000 domains to Windows 2003 and wanted to join them.com forest. Figure 4. including the drag-and-drop feature.com sales.1 shows (also presented in Chapter 3). and the Bigu.edu registrar.NET Magazine eBooks . In this chapter.edu Forest corp. jeremyco. including cross-forest trusts.0 domain.com upgraded NT 4. the multiple-select feature.jeremyco. and the saved-queries feature. Rather. how secure is a cross-forest trust? Brought to you by NetIQ and Windows & . I introduced the Group Policy Management Console (GPMC) and forest trusts. I explored new Active Directory Users and Computers console functions.1 An organization’s cross-forest trusts Cross Forest Trust #1 Cross Forest Trust #2 corp. and I introduce new DNS features.com Forest bigu. In the example that Figure 4.com As I noted in Chapter 3. Securing Forest Trusts In Chapter 3.

which Figure 4.64 Windows 2003: Active Directory Administration Essentials Cross-Forest Trust Security When you create a cross-forest trust. you could block all Bigu. Authentication Firewall To protect your resources from attacks that users in other trusted domains might launch. What if the results of your efforts to lock down specific resources haven’t been 100 percent effective? For example.2 shows. and other entities that leverage your Active Directory (AD) to maintain user accounts’ rights to various resources.com resources. what if another administrator inadvertently permits the Everyone group access to resources for which access should be restricted? You’d still be vulnerable to attacks from Bigu. After the cross-forest trust has been established. you choose the scope of authentication through the Outgoing Trust Authentication Level – Local Forest dialog box options. you basically agree to let users in other domains in trusted forests access your forest’s resources. but let the faculty members authenticate to Corp.NET Magazine eBooks . Although the cross-forest trust lets any account within any of the trusting forests attempt to access resources in the other trusted forests. printers. including file servers. You’ve properly locked down access to your Corp. you might not be fully protected.edu student SIDs from traversing the cross-forest trust. Setting up an authentication firewall lets you block certain SIDs from authenticating across the cross-forest trust. but still let the Bigu. The users whose SIDs you block won’t be able to authenticate on your network resources.edu faculty member SIDs do so.com domain. The setup that Figure 4. However. unless you’ve spent time analyzing each share to ensure that it doesn’t have Everyone: Full Control (or even Everyone: Read) access. you can set up selective authentication through what Microsoft calls an authentication firewall. Figure 4. For example. let’s assume that you’re the administrator of the Corp.1 shows lets users in Bigu.1 shows a cross-forest trust situation in which you might want to restrict access selectively.com servers and access Corp. you might want to impose particular limitations.1. A university and two corporations are tied together.com resources. In the example in Figure 4. if you accept the defaults when you set up a cross-forest trust. you can probably imagine situations in which you don’t necessarily trust all the accounts in the other forests equally. However.com resources. you’ll need to enable selective authentication to establish the authentication firewall. Selective authentication isn’t turned on by default.edu try to authenticate on your domain controllers (DCs) and access your resources. That is. you want to protect your forest from curious students at Bigu. Brought to you by NetIQ and Windows & . When you use the New Trust Wizard to create your cross-forest trust.edu. This approach would prevent students from taking a whack at Corp.edu who might want to pry.

If you accept the default (Forest-wide authentication) when you use the New Trust Wizard. If you select Selective authentication. a user who logs on to a domain in another forest that trusts your forest through a cross-forest trust can see the resources you have.2 shows is a bit confusing.3 The Forest-wide authentication option Brought to you by NetIQ and Windows & . thereby creating an authentication firewall. Figure 4.2 shows.NET Magazine eBooks .Chapter 4 Inside Windows Server 2003 Forests and DNS 65 Figure 4. that user can see the shares on a specific machine.3 shows that by using the Net View command. you let all users in the cross-forest trust traverse all the forests. the default. Figure 4.2 Outgoing Trust Authentication Level – Local Forest option The terminology in the dialog box that Figure 4. you can then manually add access for specific users. The dialog box text doesn’t state that your choice here indicates whether you’ll be deploying an authentication firewall to block certain SIDs from other domains from getting inside your forest. If you select Forest-wide authentication. which Figure 4.

NET Magazine eBooks . Select the Trusts tab. the name of the trust. you must then use Active Directory Domains and Trusts to change the mode. after your forest trust is built. After you open Active Directory Domains and Trusts. Access is denied. you decide to further lock down resources and enable an authentication firewall. right-click the domain.5 shows.66 Windows 2003: Active Directory Administration Essentials If. you can see the immediate consequences for users who try to gain access through the trust. which Figure 4.4 Choosing Selective authentication through Active Directory Domains and Trusts As soon as you choose selective authentication. Then click the Authentication tab and select Selective authentication as Figure 4. Figure 4. and Properties.5 User access after you choose the Selective authentication option Brought to you by NetIQ and Windows & .4 shows. Figure 4.

you must enable Advanced Features.e. After you enable Advanced Features.7. you can see that I’ve enabled the Administrator account from a foreign domain – DOMAINC – to access resources on server VMSERVER2. You set up selective access through the Active Directory Users and Computers console. you can dictate precisely who’ll be given access to the resources in your forest. in “foreign” domains and forests) can get access to any resources through the trust.6 shows.. First.6 Advanced Features in the Active Directory Users and Computers console j Tip Turn on the Advanced Features in Active Directory Users and Computers to manipulate who can pass through the authentication firewall.NET Magazine eBooks . Brought to you by NetIQ and Windows & . To then “open up” the authentication firewall.Chapter 4 Inside Windows Server 2003 Forests and DNS 67 After your authentication firewall is in place. which Figure 4. you need to selectively poke holes in its security. You’ll set the filtering directly upon the computer resource to which a foreign user needs access. Figure 4. you can specify security for specific objects. no one in domains outside your forest (i. That way. In Figure 4.

NET Magazine eBooks .68 Windows 2003: Active Directory Administration Essentials Figure 4.8 shows. Brought to you by NetIQ and Windows & . the user can see resources across the forest trust. that user can see the resources to which access was denied previously. As Figure 4.7 Selecting the cross-forest trust users who can access this server After you assign the Allowed to Authenticate right to a selected user.

If you wonder how such an attack might occur. SID history lets a user present an alternate set of credentials to gain access to network resources. Brought to you by NetIQ and Windows & . Although that possibility sounds frightening and might be unlikely.Chapter 4 Inside Windows Server 2003 Forests and DNS 69 Figure 4. An unscrupulous domain administrator could take an account in his or her domain and use the account to attack your domain.8 A server available to specific users through the authentication firewall SID Filtering Another technique to prevent ne’er-do-wells from accessing your resources is SID filtering. Exchange or Microsoft SQL Server) in their former domains. The idea behind SID history is that a user account can be populated with more than one SID – the SID of the user account plus other SIDs.. SID filtering can help prevent potential attacks. Users might need to present their old credentials to access resources (e. The administrator then “becomes” the user with the hijacked SID – thereby impersonating (i. when you migrate user accounts from many domains and consolidate them into a few domains.g. The attacker might be a domain administrator within the same forest.e. The user account is usually populated with additional SIDs when someone migrates accounts with the SID history feature turned on. it’s theoretically possible. recall that Win2K’s Native Mode domains and Windows 2003 Functional Level domains support the SID history feature. he or she could do a lot of damage. spoofing) a user in your domain. The administrator would accomplish the attack by hijacking the SIDs from the trusting domain (the NT domain) and putting them in the SID history attribute of his or her user object. If the administrator spoofs the account of a domain administrator in your domain. Imagine this scenario: A domain administrator in another domain that your domain trusts wants to attack you.NET Magazine eBooks . SID history is often useful – for example..

asp j Tip In addition to selective authentication and SID filtering. Windows 2003 DNS Additions DNS is essential to the health of Windows networks. in particular how to use SID filtering to prevent elevation-of-privilege attacks.aspx?kbid=289243 n Note SID filtering is sometimes complex. you use the Netdom command. you can place another level of security upon a forest trust by using top-level name (TLN) restrictions. The four automatically generated subzones appear preceded by an underscore.microsoft.microsoft.NET Magazine eBooks . Windows 2003 uses domain name suffix routing to provide name resolution between forests connected by trust relationships. or exclude suffixes to control cross-forest routing. TLN restrictions let you enable.” available at the following URL: http://support. Brought to you by NetIQ and Windows & . all four automatically generated subzones appear. disable. But your domain will ignore any SIDHistory attributes. which renders such an attack ineffective.com/windows2000/techinfo/administration/security/sidfilter. read the article “Windows 2003 Forest Trusts” at http://www. DNS is to Win2K and Windows 2003. Windows 2003 has the same functionality enabled by default.9 shows. What air is to humans. Enabling SID filtering won’t stop an administrator bent on being destructive from trying this attack. read the Microsoft Knowledge Base article “Forged SID Could Result in Elevated Privileges in Windows 2000. however.70 Windows 2003: Active Directory Administration Essentials Win2K Service Pack 2 (SP2) introduced SID filtering to protect against this potential attack. as Figure 4. To learn more about it. he or she can still hijack the SID. For in-depth information about TLN restrictions. This section isn’t about in-depth DNS troubleshooting. For more information.winnetmag. DNS Health Checks You can perform a subzone spot check before you move forward to ensure that under your domain name.cfm?articleid=38436. go to http://www. To disable or re-enable SID filtering in Windows 2003.com/default. I’ll assume that you’ve already set up your DNS correctly and that you have a healthy AD that relies on your DNS infrastructure.com/windowsserver2003/index. but about DNS features new to Windows 2003.

However. and _udp) are present ensures that your domain has the records necessary to locate DCs. you’ll find it useful to run the DNSLINT command with the /ad switch.Chapter 4 Inside Windows Server 2003 Forests and DNS 71 Figure 4.com/download/win2000srv /utility/q321045/nt5xp/en-us/dnslint. to help diagnose common AD-related DNS errors.exe After you download DNSLint to a Windows 2003 server. _sites.microsoft.10 Run DNSLint from the command line with the /ad switch Brought to you by NetIQ and Windows & . which clients must be able to do. _tcp. You can start by downloading DNSLint from http://download.9 A domain’s four automatically generated subzones Verifying that all four automatically generated subzones ( _msdcs. Be sure to read the documentation file included to understand all your options. Figure 4.10 shows. you can run myriad commands. Windows 2003 DNSLINT You can take your Windows 2003 DNS testing one step further by running a new tool that Microsoft makes available: DNSLint. which Figure 4. DNSLint helps you make sure that you’re running a “clean” DNS server.NET Magazine eBooks .

then select the Forwarders tab. You simply right-click the computer name. Figure 4.11 DNSLint report Conditional Forwarding Before I discuss the new Windows 2003 conditional forwarding feature. You enable Win2K’s standard forwarding on a server-by-server basis in the DNS applet. as Figure 4. select Properties. you instruct DNSLint to produce an HTML report about the state of DNS affairs. let me briefly review standard forwarding.72 Windows 2003: Active Directory Administration Essentials When you run DNSLint with the /ad switch. Figure 4.12 shows.11 shows a DNSLint report with a clean bill of health (the report would list any errors that DNSLint found). This file will reveal any trouble spots in your DNS. Brought to you by NetIQ and Windows & .NET Magazine eBooks .

com) probably wouldn’t know the answer. The standard forwarding approach works well for a limited set of circumstances.. However.NET Magazine eBooks . such as Internet Software Consortium’s (ISC’s) BIND 9.13 represents: two separate domains that have little to do with each other.Chapter 4 Inside Windows Server 2003 Forests and DNS 73 Figure 4. For example. Brought to you by NetIQ and Windows & . However. by leveraging the power of forwarders.g. this server can ask other servers that might know the answer – and retrieve the answer for the client. support conditional forwarding. The forwarders address lets one DNS server ask other (possibly nonrelated) servers for the answer to a DNS question. A local AD domain (e.com’s address to get to its Web servers. let’s imagine that a client in a domain wants to discover Microsoft. imagine the company structure that the diagram in Figure 4. standard forwarding doesn’t address some situations.0. Corp. For example.12 Win2K’s Forwarders tab n Note Other non-Microsoft implementations of DNS.

research.internal. The diagram in Figure 4. Figure 4.13 indicates that the DNS servers of Corp.com However.com asked about locating the Research.com computer in Research. If a client in Corp.internal.com research.com can’t “know about” each other.14 shows what happens when standard forwarding is set up.internal.com research.com and Research.com.com.corp.internal.” RESEARCHFILE1 corp. And the users at Research.74 Windows 2003: Active Directory Administration Essentials Figure 4.com Brought to you by NetIQ and Windows & . resolving that name wouldn’t be easy.NET Magazine eBooks . For example. the users in Corp.14 DNS communications in the example company Client says “I need something over at reasearch.com occasionally need to connect to CorpSQL1.internal.com occasionally need to connect to a computer named Researchfile1.com.internal.internal. let’s suppose that from time to time.com” Internet Forward Forward CORPNS1 RESEARCHDNS1 IBM Compatible CORPSQL1 CORPDNS1 Server says “Check over here.13 An example company’s DNS configuration Internet Forward Forward CORPNS1 RESEARCHDNS1 CORPSQL1 RESEARCHFILE1 corp. Figure 4. users in the separate domains must share resources.internal.

In such a scenario.” Client says “I need something over at reasearch.15 shows.internal.com DNS server house a secondary-zone copy of Corp. conditional forwarding is unique to each Windows 2003 DNS server. Right-click the server name. Under Win2K. the updating can take extra administrative effort and more bandwidth.internal.15 DNS communications with conditional forwarding CORPDNS1 Server says “Check over here. you could solve this problem. a copy of that record must be sent to the other DNS’s secondary-zone copy. If you could tell the Corp.com. the two DNS servers can’t “see” each other. as Figure 4. Conditional forwarders let you keep copies of only the DNS zone files you want – without any extras. Setting Up Conditional Forwarding You need to set up conditional forwarding just as you set up standard forwarding for Win2K – that is. and the Research.NET Magazine eBooks .internal. Brought to you by NetIQ and Windows & . Figure 4. That is. However.com Conditional forwarding eliminates the need to house unnecessary secondary-zone DNS files in servers that really shouldn’t have them. then click the Forwarders tab.com” Forward CORPNS1 Internet Forward RESEARCHDNS1 IBM Compatible CORPSQL1 RESEARCHFILE1 corp.com DNS server house a secondary-zone copy of Research. The reason is that the servers forward to a common point (the ISP or the Internet). you could have the Corp. the Corp.com DNS server where to look for Research.com DNS server (CORPDNS1) probably won’t get any response other than “I can’t find it” from the servers to which it forwards.com research.internal.16 shows. select Properties. this solution is messy because every time a new record is entered into DNS. you could fix this problem – but in a sloppy way.com. as Figure 4.Chapter 4 Inside Windows Server 2003 Forests and DNS 75 With a standard forwarder. Windows 2003’s conditional forwarding lets you do exactly that.com resources. Depending on how you have the zones configured.internal.

NET Magazine eBooks .16shows that this server will forward all requests asking about resources in the Research. Like conditional forwarding.16 Windows 2003’s DNS Forwarders tab To set up conditional forwarding for a DNS domain. Stub Zones Stub zones are another feature new to Windows 2003 DNS.0. and type the name of the domain and the IP address.168. (Also like conditional forwarding.11.internal.17 presents a DNS configuration that shows the need for stub zones.com domain to 192. stub zones solve a problem. select the domain name.76 Windows 2003: Active Directory Administration Essentials Figure 4. stub zones aren’t new to other non-Microsoft DNS implementations. such as BIND 9.2. Figure 4. click New. Brought to you by NetIQ and Windows & .) Figure 4.

com asking about resources in Research.NET Magazine eBooks . You can read the “conversation” between the client and the DNS servers in Figure 4. Suppose a client request comes in from Corp.Chapter 4 Inside Windows Server 2003 Forests and DNS 77 Figure 4.com research.18’s internal captions.internal.17 A second example company’s DNS configuration Internet Forward For wa rd Forward CORPNS1 INTERNALROOTDNS RESEARCHDNS1 CORPSQL1 RESEARCHFILE1 corp. Brought to you by NetIQ and Windows & .17 shows.com.com As Figure 4.internal. you have two unrelated domains asking a central Root DNS for information.

internal. The InternalrootDNS server then looks up in its table the list of servers that are authoritative for the Research.” For wa rd CORPDNS1 Server says “Follow the forward.” RESEARCHDNS1 Client A CORPSQL1 RESEARCHFILE1 corp. which forwards to the InternalrootDNS server. the InternalrootDNS server would know about the original ResearchDNS1 server only – and not about the three newly introduced DNS servers.com. Stub zones introduce a new technique to help address this situation.18 A successful lookup with manual delegations Internet Client says “I need something over at reasearch.com is – let me point you toward a research.internal. Stub zones “learn” about new DNS servers introduced into other domains..com research. That design isn’t as responsive to change as you might need it to be.com gets three more DNS servers – each capable of responding to the SOA request? Such a scenario could evolve if Research.internal.corp. Brought to you by NetIQ and Windows & . servers that respond to Start of Authority – SOA – requests).com server that knows the answer and is authoritative for the zone.com” Forward Forward INTERNALROOTDNS CORPNS1 INTERNALROOTDNS Server says “I know where research.com.interal. Figure 4. what happens if Research. ClientA asks CorpDNS1. For the InternalrootDNS server to know about the new DNS servers in Research.19 shows the different communication that occurs if you use stub zones after the new DNS servers are introduced in Research.com for the answer.internal. However. someone would have to manually update the InternalrootDNS server.78 Windows 2003: Active Directory Administration Essentials Figure 4.com introduced three more DCs that run DNS in AD integrated mode. At this point.com In this scenario.internal.e.internal.internal.NET Magazine eBooks .com domain (i.internal.

NET Magazine eBooks . That is.Chapter 4 Inside Windows Server 2003 Forests and DNS 79 Figure 4.internal.com servers which are SOA for the zone.internal.com Creating Stub Zones You create a stub zone as you would create any DNS zone.20 shows. Figure 4.com research.20 Creating new stub zones Brought to you by NetIQ and Windows & . as Figure 4. RESEARCHDNS1 RESEARCHDNS2 Client A CORPSQL1 RESEARCHDNS3 RESEARCHFILE1 corp. you right-click the server and create a new zone. you select the zone type.internal.” Internet Forward Forward your request to a DNS server that is SOA for the zone. Then.com” Forward INTERNALROOTDNS CORPNS1 For wa rd CORPDNS1 Server says “Let me check my stub-zone for research.19 Stub zones and DNS changes Client says “I need something over at reasearch.internal.com – a definitive list of research.

Next: Windows 2003 Security Enhancements In this chapter. If you have older clients that you can’t get rid of. I review how you set up an authentication firewall. you must manually update the list. That means if you create the stub zone in the source domain once – all AD integrated DNS servers will be aware that you want to use stub zones for certain target domains. Brought to you by NetIQ and Windows & . You perform a one-time configuration – and you’re done. DNS servers can go up and down at will in the target domain – and the source domain is always updated. But if the servers you list in the Forwarders tab go down and new ones go up. you can choose how widely you want to replicate the stub-zone information. conditional forwarding must be configured individually on each DNS server you set up. right-click Reload from Master to jump-start the stub zone. Stub-Zones Conditional forwarding and stub zones accomplish similar results. j Tip If your stub zone doesn’t activate right away. In contrast. you can make a stub zone AD-integrated. I examined the security ramifications of cross-forest trusts and how to address some potential vulnerabilities.NET Magazine eBooks .80 Windows 2003: Active Directory Administration Essentials At this point. I’ll present Windows 2003 security enhancements. including by using selective authentication. Chapter 5 will be especially relevant to you. After the authentication firewall is in place. if you create a stub zone in the source domain for the target domain. You should then have a functioning stub zone. you’ll learn what makes those clients more secure than ever. When should you choose one over the other? Conditional forwarding gets the job done. Also. Additionally. If you have all newer clients. I also discussed some Win 2K DNS limitations and how Windows 2003 works around them with conditional forwarding and stub zones. One misconfiguration could cause problems for a while. you must do some manual labor to open each specific gate to let users in other forests gain access through cross-forest trusts. You specify the zone for which you want to create a stub zone. In Chapter 5. Conditional Forwarding vs.

Sign up to vote on this title
UsefulNot useful