(Kevin Beaver, CISSP TechTarget) As businesses continue to integrate Linux into their existing Windows infrastructures, extending Active Directory functionality to accommodate these systems is becoming more appealing. Many shops already run some combination of Samba/Winbind, PAM, and OpenLDAP that offer up Windows authentication services, among other things. Although some admins are looking ahead for ways to replace Active Directory altogether (a goal of Samba 4), don't hold your breath - Samba 4 has been four years in the making. There are commercial solutions for Active Directory/Linux integration available from vendors such as Quest, Centrify, and Likewise. So the need and the solutions are there. But, of course, it's not that simple - at least if security is on your radar.

Whether you've already started down the path of integration or have it on the docket for the near future, there are some Active Directory-centric security issues you need to be aware of. Like acquiring a new company and taking on its business processes and codebase, you're going to get the warts and all when you incorporate Active Directory into the Linux realm (or vice versa). You'll suddenly have all the security issues that come along with Active Directory – some of which will undoubtedly have some unintended consequences in your environment.

First off, dependence on Active Directory as your sole directory service and security policy enforcer can create a single point of failure. When Active Directory goes down – or goes away – because of some unintended outage, design oversight, or mismanagement, your network services can come to a halt. This is the least likely of scenarios - but you still need to consider it.

Another common weakness with Active Directory is the lack of separation of duties. Simply put every admin has full access to the system and there's no real accountability. Be it via general security groups or admin access at the OU (or similar) level, there needs to be some sort of separation if multiple hands are allowed access.

You also have issues with password policies – or lack thereof. This is probably the most common weakness I see related to Active Directory security. Interestingly, admins will go out of their way creating well thought-out security controls such as one-way trusts, GPOs (group policies) for locking down workstations and so on but minimal – and reasonable – password requirements are often missing.