Providing Security for Forests
There is not a lot to secure with the forest, but what there is to secure is extremely important. Remember from our earlier discussion, a forest is a logical structural component of Active Directory. So, there won’t be any setting that you make to the forest, although with Windows Server 2003 you can make a forest trust, which does deal with the forest itself.
Forestwide Components
Three areas of Active Directory are forestwide: the global catalog, configuration context, and schema context. Every domain controller contains a copy of the configuration and schema contexts. By default, there is only one global catalog server, the first domain controller in the forest. It is typical to configure multiple global catalog servers, which can be any domain controller.
A global catalog server can become a security issue if the administrator configures security-related information to be stored in the global catalog. If this secure information is located in the global catalog server, anyone who has Read access to this portion of the Active Directory database could obtain the secure information using a tool such as LDP or ADSIEdit. This is not the case by default, but caution needs to be upheld as novice administrators and applications are installed. If a green administrator starts to configure the attributes that are stored in the global catalog, it is very easy to make an attribute a part of the global catalog. Also, applications that modify the schema can also ...
Get Securing Windows Server 2003 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.