Prudential forced to work around Active Directory

Laura Gashlin would like nothing better than to slash Microsoft's Active Directory to pieces.

It's not that the systems director for Prudential Insurance doesn't like the forthcoming directory; she just wants to divide it into separate parts for security and administrative reasons.

"We want to make sure no application can harm our infrastructure services [such as authenticating users], so partitioning becomes a big issue," Gashlin says. "If some virus were to attack the application partition, it wouldn't affect our infrastructure partition."

Unfortunately for Prudential, Active Directory won't allow that kind of partitioning, so Gashlin had to come up with another way to roll out Active Directory. Prudential's situation highlights the kind of security analysis users will face as they incorporate Active Directory into their networks.

Prudential is designing two Active Directory domains, one for application services and one for infrastructure services, instead of one directory with two partitions. Active Directory, which is scheduled to ship Feb. 17, allows partitions to be created only along domain boundaries. A domain contains a set of directory objects, such as users or network resources.

"Our dream is a single domain," Gashlin says. The single domain would streamline administration "and allow us to advance into new applications without a major redesign of our directory infrastructure," she says.

For now, the single domain will have to wait.

Microsoft officials say interdomain partitioning is not needed, given that Active Directory addresses the type of virus scenario Gashlin describes.

The protection comes from the Windows 2000 certified application logo program, which requires developers to design a separate executable to use for updating directory entries. The executable is tied into administrator privileges for Active Directory. Without those privileges, the directory can not be altered by any application-born virus, according to Peter Houston, a Microsoft product manager.

"They say the logo program is the answer, but that's not the right answer," Gashlin contends. In fact, Microsoft won't begin testing server applications for its logo program until January or February, which means the logo program won't even begin offering answers to Active Directory issues until late next year.

"The way to protect yourself is to limit privileges for schema [data] changes to only a few administrators," Houston says. "It's critical to understand the importance of the schema administrator."

The key is that any administrator with access to the schema can make sweeping changes to the directory. The schema dictates the structure of the directory and the contents of each data element within the directory. Microsoft's Houston says that if few administrators have schema access, it limits the avenues that viruses have for attacking the directory, and, therefore, makes partitioning less of an issue. Limiting administrative privileges is critical for the type of directory security Prudential seeks.

For example, unauthorized access to the configuration container in Active Directory, a portion of the directory that holds start-up data for applications and systems, can have lethal consequences.

"A virus that was able to take over a program that had access to the configuration container could tamper with other information in that container," says Daniel Blum, an analyst with The Burton Group in Midvale, Utah. That information includes server processes such as Distributed File System services.

"Take an application like Exchange," Blum says. "It is privileged and has access to lots of stuff in the directory. If a virus can get into the configuration container, it could do bad things."

That is an important point because application and infrastructure services share the same configuration container and schema in any grouping, called a forest, of Active Directory domains.

"Overall, Active Directory is pretty well-designed," Blum says. "But Microsoft does need to add some flexibility, which it will do over time."

Microsoft's take on partitioning is in sharp contrast to that of Novell. The Microsoft competitor allows partitioning within single instances of Novell Directory Service (NDS) as a way to prevent a problem in one part of a directory from interfering with another part and also to ensure that if one part of a directory goes down, the rest won't.

Microsoft contends that Novell forces users to partition their directories only because the company's mechanism for replicating data between copies of its directory over WAN links is inefficient. Microsoft uses data compression to make replication easier, Houston says.

Indeed, Novell acknowledges that replication issues are among the reasons NDS supports partitioning. "Partitioning is done to logically group users to make replication more efficient," says Paul Corriveau, a Novell product marketing manager. But partitioning also bolsters security by allowing subsets of the directory, which eliminates the need to expose the entire directory on every replica, he says.

There is no single solution, says Rick Villars, an analyst with International Data Corp. in Framingham, Mass. "Microsoft will have to address [partitioning] as Active Directory matures. Having flexibility to develop branches of the directory is as important as managing users."

Blum says the bottom line is that users should put directory designs through a meticulous security analysis.

Prudential did that, and although the company doesn't have the design it covets, it does have a design that protects valuable assets.