What is a "Security Boundary"?

There's been an interesting email discussion with several AD MVPs over the last couple of days centered around the question of "what is a security boundary in a Windows environment?". Part of the problem is definitional: there isn't a commonly understood definition of "security boundary", which makes it hard to agree on whether a forest is one or not. And part of the problem is the behavior of Windows "passthrough" authentication, which I wil describe later.

The definition I use for "security boundary" is "the object space within which objects can be identified and security constraints between those objects can be expressed and established", or something similar. In AD, the forest is considered a security boundary, and meets this definition. And it is clear that establishing a trust relationship with another forest/domain expands the security boundary to include the other forest.

The Design Considerations for Delegation of Administration in Active Directory whitepaper says the following:

"Note: Previously published Active Directory documentation states that a domain is a security boundary, but does not provide specific details about the level of autonomy and isolation possible between domains in a forest. Although a domain is in fact a security boundary when considering the management aspects of Active Directory, it does not provide complete isolation in the face of possible attacks by service administrators who maliciously modify the behavior of the system. For more information, see the Appendix to this document."

This chat with Paul Rich and Sanjay Tandon says roughly the same thing.

So that's all well and good. The thing that set off the whole discussion was the behavior of Windows "passthrough" authentication, where credentials for a principal in one forest are automatically passed through to an authority in another forest. The mechanism relies on having accounts sharing the same sAMAccountName and password in the two forests. The effect is that you authenticate once in forest A and are magically authenticated in forest B using the same creds. Does this constitute a violation of the idea of a forest being a security boundary?

Now first off, there's no additional security exposure in this mechanism because to authenticate in forest B, you still have to have a valid username/password pair in forest B. The fact that the creds are the same as the creds in forest A isn't really relevent. I guess you can argue that we've expanded the scope of authorization accessible to a set of credentials, which is true, but we have not expanded the scope of authorization for an identity (because the identities in the two forests are distinct). So we're not looking at a new security hole. But is forest B still a security boundary?

I think yes. The fact remains that even though the credentials used to authenticate in the two forests are the same, the identity of the user in the two forests is distinct. I can delete the account in one forest and not in the other. I can change the password of one account and not the other. I can restrict priveleges for the account in one forest and not in the other. So the identities are distinct, and the forest is still a security boundary. By establishing accounts with the same name and password, you are simply making it easier to authenticate to the second forest. And the passthrough auth simply makes the process invisible.

Thanks to Deji, joe, Dean, Guido, and Jorge for the interesting discussion.

Comments are closed