CIS 288 WEEK 9: Securing Active Directory Slide 1 Introduction Welcome to week 9 of C-I-S 288: Security Design in a Windows

2003 Environment. In the previous lesson we discussed securing V-P-N and Extranet Communications. In this week we will discuss securing active directory. Next Slide: Slide 2 Objectives When you complete this lesson you will be able to: Design an access control strategy for directory services; Establish account and password requirements for security; Analyze auditing requirements; Create a delegation strategy; Design the appropriate group strategy for accessing resources; And Design a permission structure for directory service objects. Next Slide: Slide 3 Designing an Access Control Strategy for Directory Services A proper access control strategy begins with identifying the methods by which it will be enforced. There are several approaches you can take when designing security; your first step should be in identifying which one fits your organizations needs, and designing the strategy accordingly. You will start by breaking down the access control strategy into two parts: Access and Control. The access strategy calls for granting fairly open access to files and resources and then locking it down according to need. Control is the strategy that gives priority to security and tends to start off by locking down resources to a maximum and then relaxing security gradually as the need arises. So, which design strategy is right? There is no perfect answer for all situations; what you need is the perfect blend between access and control for your environment. You dont want to expose your resources unnecessarily, but you also dont want to lock down to the point where your design is unusable and impractical.

Next Slide:

Slide 4

Analyzing Risks to Directory Services

Todays networks are so diversified and large that it is imperative to understand the vulnerabilities that an attacker can use to create risks within your directory services architecture. One thing you should always keep in mind is that, with user accounts, usernames are easy to guess because they are usually a predictable sequence like First Initial Last Name or some other similar combination. Now, if an attacker does figure out a legitimate username, this still leaves him or her with the dilemma of figuring out or cracking the password. In other words, the security to your entire network is one password away from being broken. Even though you can implement complex passwords for your network, if you do not obtain buy-in from your management staff, youll notice that they will resist these measures, and might ask you to relax the complexity requirements. This leads us to the least permissions, in that you should always make sure that you dont give a user account more rights and permissions than the user needs access to in order to go about his or her daily job. You should also be very vigilant about disabling or deleting accounts of users who have either left the company or have been on vacation for a long time. You want to make sure that you have a security policy in place where your Human Resources Department always informs you about employee turnover, so that you dont allow a malicious user time to log in with his or her account and wreak havoc on the files and folders he or she has access to.

Next Slide:

Slide 5

Establishing Account Security Policies

Establishing a strong account security policy is crucial, because the user account is the single most important entity in Active Directory that links to all rights and permissions on the network. Windows 2000 and Windows Server 2003 allows us to implement security on accounts via Group Policy. By configuring the different user rights, you can grant access to users to perform certain functions, or you can forbid users from completing a certain task. Next Slide:

Slide 6

Establishing Password Security

Windows 2000 and Windows Server 2003 both offer settings enforced through Group Policy that allow you to configure tightened password security within your organization. You can create these settings to take effect for all users by configuring the Password policy at the root of the domain. The password policy has the following configurable settings: Enforce password history; maximum password age; minimum password age; minimum password length; password must meet complexity requirements; and store passwords using reversible encryption. If the password must meet complexity requirements policy is enabled, it will force the user to select a password based on certain criteria. Next Slide:

Slide 7

Establishing Password Security (continued)

An Account lockout policy offers you an additional level of control and security by controlling how, when, and why an account can be locked out. The idea behind account lockout is to protect your network against someone trying to crack your passwords by continuously trying to guess them, or by running a password cracker against your account database. Account lockout settings can deter a hacker by locking the account and preventing any further attempts to guess passwords. The account lockout policy offers the following configurable settings: Account lockout duration, account lockout threshold; and reset account lockout counter after.

Slide 8

Analyzing Auditing Data

Next Slide: Once youve configured your auditing policy, you need to be able to analyze it and make sense of it all. Windows provides a central repository where auditing and other events are stored for later analysis and troubleshooting. This repository is the Event Viewer, which you can get to either by right-clicking My Computer and going to Manage, or simply by going to Start Run and typing Event V-W-R. The Event Viewer has several different logs, based on what kinds of services are configured on the server you are trying to access. What you are most interested in at this point is the Security log, where all your auditing settings and configuration will be stored. With the Event Viewer, you are able to: Sort events by type, time, and other parameters; Filter events; View advanced event information; Sort events; Export the log file to a dot-E-V-T, dot-T-X-T, or dot-C-S-V file; And Connect to a remote computers Event Viewer.

Slide 9

Creating a Delegation Strategy

Next Slide: One of the best enhancements that was introduced in Windows 2000 and continues in Windows Server 2003 is the ability to delegate administration. What this means is that you can design an O-U structure, place Active Directory Objects such as users and computers, and then give control of this O-U to an administrator in your group.

Delegation of authority can also be used to organize and isolate departmental or suborganizations in your environment. Delegated administrators fall into two main categories: Service Administrators and data administrator. A service administrator is responsible for the design aspects of Active Directory, and have autonomy over D-Cs, directory-wide configuration, and services maintenance and availability. Service Administrators can be Data Administrators, but Data Administrators are not typically Service Administrators. Data administrators are responsible for the information saved in Active Directory, such as users, groups, and O-U containers, but they dont have access over the directorywide configuration and delivery of services. Slide 10 Creating a Delegation Strategy (continued) Next Slide: When designing your Active Directory delegation strategy, you have to first understand your organizations delegation requirements. These requirements will generally fall under the following two categories: Isolation and autonomy. Isolation allows for exclusive and independent access to data and services in a particular subset of the directory. And Autonomy allows for shared administrative control over certain data and services. It allows administrators to independently manage all or parts of the services and data management that they are responsible to maintain. Any delegation structure is divided among forests, domains, and O-Us. Based on the type of delegation an organization needs to apply, you can create delegated administration at any of these three container levels. They include Forest, Domain, and O-U. The higher in the directory structure you choose to delegate administration, the more isolation that a delegated administrator can have over services and data. Next Slide:

Slide 11

Designing the Appropriate Group Strategy for Accessing Resources

Groups organize users, computers, and other objects and make them easier to manage. There are three group scopes that exist in Windows Server 2003: Global groups, which is used to group users or computers that are members of the same domain. Domain local groups, this type of group is used to secure resources that exist on servers that reside in the same domain as the group does; And 3. universal groups, this type of group can contain any user or group from any domain in an entire forest. They can be used to regulate access to any resource on any domain. Next Slide: Designing a permission structure for data can be a challenging task and should be thought out carefully, because rectifying it later and making changes can be a complicated and very time-consuming task. For this reason, a well thought out design plan should rely on Microsoft recommended best practices for permission structure. The Microsoft strategy for this kind of structure is known as the A-G-D-LP, which is a strategy you should be familiar with from the core 4 requirements. The A-G-D-L-P calls for: Adding domain users to global groups; Adding global groups to Domain Local Groups; And 3. Assigning domain local groups Permissions on resources. With the introduction of Universal groups in Windows 2000 and Windows Server 2003, you can now expand this best practice strategy to accommodate the new group type. The new strategy is known as the A-G-U-D-L-P and calls for: Adding domain users to Global groups; Adding global groups to Universal groups; Adding universal groups to Domain Local groups; And 4. Assigning domain local groups Permissions on resources. Next Slide:

Slide 12

Designing a Permission Structure for Data

Slide 13

Summary

We have reached the end of this lesson. Lets take a look at what we have covered. Discussed first was Designing an Access Control Strategy for Directory Services. A proper access control strategy begins with identifying the methods by which it will be enforced. The access control strategy can be divided into two separate parts: Access and Control. What you need is the perfect blend between both of them for your networking environment. This followed with a discussion on Establishing Password Security. Establishing a strong account security policy is crucial, because the user account is the single most important entity in Active Directory that links to all rights and permissions on the network. Next, we discussed Analyzing Auditing Data. Once youve configured your auditing policy, you need to be able to analyze it and make sense of it all. Windows provides a central repository where auditing and other events are stored for later analysis and troubleshooting. We concluded the lesson with a discussion on Designing a Permission Structure for Data. Designing a permission structure for data can be a challenging task and should be thought out carefully, because rectifying it later and making changes can be a complicated and very time-consuming task. For this reason, a well thought out design plan should rely on Microsoft recommended best practices for permission structure.