As businesses continue to integrate Linux into their existing Windows infrastructures, extending Active Directory
functionality to accommodate these systems is becoming more appealing. Many shops already run some combination of Samba/Winbind, PAM, and OpenLDAP that offer up Windows authentication services, among other things. Although some admins are looking ahead for ways to replace Active Directory altogether (a goal of Samba 4), don't hold your breath -- Samba 4 has been four years in the making. There are commercial solutions for Active Directory/Linux integration available from vendors such as Quest, Centrify, and Likewise. So the need and the solutions are there. But, of course, it's not that simple -- at least if security is on your radar.
Whether you've already started down the path of integration or have it on the docket for the near future, there are some Active Directory-centric security issues you need to be aware of. Like acquiring a new company and taking on its business processes and codebase, you're going to get the warts and all when you incorporate Active Directory into the Linux realm (or vice versa). You'll suddenly have all the security issues that come along with Active Directory – some of which will undoubtedly have some unintended consequences in your environment.
First off, dependence on Active Directory as your sole directory service and security policy enforcer can create a single point of failure. When Active Directory goes down – or goes away – because of some unintended outage, design oversight, or mismanagement, your network services can come to a halt. This is the least likely of scenarios - but you still need to consider it.
Another common weakness with Active Directory is the lack of separation of duties. Simply put every admin has full access to the system and there's no real accountability. Be it via general security groups or admin access at the OU (or similar) level, there needs to be some sort of separation if multiple hands are allowed access.
You also have issues with password policies – or lack thereof. This is probably the most common weakness I see related to Active Directory security. Interestingly, admins will go out of their way creating well thought-out security controls such as one-way trusts, GPOs (group policies) for locking down workstations and so on but minimal – and reasonable – password requirements are often missing. They're either too strict (i.e. users are burdened with changes every 30-45 days) or they're non-existent (management doesn't understand their value). Make sure you balance password requirements with usability because not doing so will all too often get in the way of doing business. Think through your Active Directory password policies so you can strike that balance and prevent things from swinging too far in either direction.
Once Active Directory integration becomes a reality, what was once your seemingly secure Linux environment will now been opened up to many of the security issues only associated with Windows. These weaknesses extend to Linux-based Web sites and applications as well as any Linux-based network appliances you incorporate into the Active Directory domain.
My advice is to fully understand what you're getting in to with Active Directory before you jump in. Read up, plan things out accordingly, and use commercial solutions if necessary. The last thing you need is a whole new set of headaches. When you're spending all this time and effort it only makes sense to do Active Directory the right way (at least according to a consensus) so be sure to check out the U.S. Department of Defense's Active Directory Security Technical Implementation Guide and the Center for Internet Security's Windows Server 2003 Domain Controller Benchmark. You won't need, or necessarily be able to, implement every hardening recommendation. However, by reviewing these documents you can make sure you're doing what's right in the context of your systems.
ABOUT THE AUTHOR: Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver /at/ principlelogic.com.