Best Practices
Use multiple forests if you require discrete isolation. If your security policy calls for discrete isolation of control between domains, use separate forests.
Physically secure domain controllers. If an attacker or rogue administrator can physically compromise domain controllers, he not only can gain access to the information stored on the domain controller, but he can potentially compromise information on the domain controller to jeopardize the entire forest.
Train administrators. Once you have delegated authority to a user over a set of objects, you have created an administrator of some degree. You should, at a minimum, provide training to make the administrator aware of the capabilities and limits of her account, the ways she ...
Get Microsoft® Windows® Security Resource Kit, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
