T 2.68 Lack of, or inadequate, planning of Active Directory

The global structure of an Active Directory, i.e. how it is divided into domains, has a wide-ranging impact on the security of the resources administered in the Active Directory. In particular, problems can arise when different domains have different security requirements or the domains belong to different organisational units.

The following risks, for example, are posed to all domains due to a lack of or inadequate planning:

• All domains in an Active Directory must use the same schema. Even when a software package requiring a change to the schema will be installed in only one domain, all other domains will also need to reflect this schema change. Incompatible schema changes made by different software products can result in software not being installed or not running correctly.

• Certain user data from the Active Directory (Global Catalog) is available in every domain. This could result in violations of the data protection requirements when the type and level of detail of this information was not adequately coordinated in advance.

• Administrators of the forest root domain also have extensive privileges in other domains. If the time specified until an administrator account is automatically locked is too long, then it may be possible for third parties to obtain and use administrator rights
• If a domain is distributed between several locations that are not adequately networked with each other, then it may take a long time before an account lockout takes effect at all locations. As a result, a user whose account has been locked may still be able to log in to the system at another location under certain circumstances.

The structure of the Active Directory in a domain also needs to be planned carefully because otherwise it will be exposed to the following threats:

• If computers and user accounts are placed below the domain in the predefined "Computer" and "User" containers, then it will not be possible to specify separate group policy configurations for the various types of user accounts or various types of computers. This could allow a user to circumvent the rights restrictions enforced by the group policies on an affected type of computer.
• If organisational units (OUs) are deeply nested, then the structure of the domain could become so complex that it makes the Active Directory more susceptible to incorrect configuration. In addition, the performance of the Active Directory service decreases as the depth of nesting increases, especially when OUs are nested too deeply, e.g. when they span more than 4 levels.