7/27/2019 cis341_week09_ch08

1/7

CIS 288 WEEK 9: Securing Active Directory

Slide 1 Introduction Welcome to week 9 of C-I-S 288: Security Design in aWindows 2003 Environment.

In the previous lesson we discussed securing V-P-N andExtranet Communications.

In this week we will discuss securing active directory.

Next Slide:

Slide 2 Objectives When you complete this lesson you will be able to:

Design an access control strategy for directory services;

Establish account and password requirements for security;

Analyze auditing requirements;Create a delegation strategy;

Design the appropriate group strategy for accessing

resources; AndDesign a permission structure for directory service objects.

Next Slide:

Slide 3 Designingan Access

Control

Strategy forDirectory

Services

A proper access control strategy begins with identifying themethods by which it will be enforced. There are several

approaches you can take when designing security; your first

step should be in identifying which one fits yourorganizations needs, and designing the strategy

accordingly. You will start by breaking down the access

control strategy into two parts: Access and Control.

The access strategy calls for granting fairly open access to

files and resources and then locking it down according to

need. Control is the strategy that gives priority to securityand tends to start off by locking down resources to a

maximum and then relaxing security gradually as the need

arises.

So, which design strategy is right? There is no perfect

answer for all situations; what you need is the perfect blend

between access and control for your environment. Youdont want to expose your resources unnecessarily, but you

also dont want to lock down to the point where your design

is unusable and impractical.

7/27/2019 cis341_week09_ch08

2/7

Next Slide:

Slide 4 AnalyzingRisks to

DirectoryServices

Todays networks are so diversified and large that it isimperative to understand the vulnerabilities that an attacker

can use to create risks within your directory servicesarchitecture. One thing you should always keep in mind is

that, with user accounts, usernames are easy to guessbecause they are usually a predictable sequence like First

Initial Last Name or some other similar combination.

Now, if an attacker does figure out a legitimate username,

this still leaves him or her with the dilemma of figuring out

or cracking the password. In other words, the security toyour entire network is one password away from being

broken.

Even though you can implement complex passwords for

your network, if you do not obtain buy-in from your

management staff, youll notice that they will resist these

measures, and might ask you to relax the complexityrequirements. This leads us to the least permissions, in that

you should always make sure that you dont give a user

account more rights and permissions than the user needsaccess to in order to go about his or her daily job.

You should also be very vigilant about disabling or deleting

accounts of users who have either left the company or havebeen on vacation for a long time. You want to make sure

that you have a security policy in place where your Human

Resources Department always informs you about employeeturnover, so that you dont allow a malicious user time to

log in with his or her account and wreak havoc on the files

and folders he or she has access to.

7/27/2019 cis341_week09_ch08

3/7

Next Slide:

Slide 5 EstablishingAccount

SecurityPolicies

Establishing a strong account security policy is crucial,because the user account is the single most important entity

in Active Directory that links to all rights and permissionson the network. Windows 2000 and Windows Server 2003

allows us to implement security on accounts via GroupPolicy.

By configuring the different user rights, you can grantaccess to users to perform certain functions, or you can

forbid users from completing a certain task.

Next Slide:

Slide 6 Establishing

Password

Security

Windows 2000 and Windows Server 2003 both offer

settings enforced through Group Policy that allow you to

configure tightened password security within yourorganization. You can create these settings to take effect for

all users by configuring the Password policy at the root of

the domain. The password policy has the followingconfigurable settings:

Enforce password history; maximum password age;minimum password age; minimum password length;

password must meet complexity requirements; and store

passwords using reversible encryption.

If the password must meet complexity requirements

policy is enabled, it will force the user to select a password

based on certain criteria.

Next Slide:

7/27/2019 cis341_week09_ch08

4/7

Slide 7 Establishing

PasswordSecurity

(continued)

An Account lockout policy offers you an additional level of

control and security by controlling how, when, and why anaccount can be locked out. The idea behind account lockout

is to protect your network against someone trying to crack

your passwords by continuously trying to guess them, or by

running a password cracker against your account database.Account lockout settings can deter a hacker by locking the

account and preventing any further attempts to guesspasswords.

The account lockout policy offers the following

configurable settings: Account lockout duration, accountlockout threshold; and reset account lockout counter after.

Next Slide:

Slide 8 Analyzing

AuditingData

Once youve configured your auditing policy, you need to

be able to analyze it and make sense of it all. Windowsprovides a central repository where auditing and other

events are stored for later analysis and troubleshooting.

This repository is the Event Viewer, which you can get to

either by right-clicking My Computer and going to Manage,

or simply by going to Start Run and typing Event V-W-R.

The Event Viewer has several different logs, based on what

kinds of services are configured on the server you are trying

to access. What you are most interested in at this point is

the Security log, where all your auditing settings andconfiguration will be stored. With the Event Viewer, you

are able to:Sort events by type, time, and other parameters;

Filter events;

View advanced event information;

Sort events;Export the log file to a dot-E-V-T, dot-T-X-T, or dot-C-S-V

file; And

Connect to a remote computers Event Viewer.

Next Slide:

Slide 9 Creating a

Delegation

Strategy

One of the best enhancements that was introduced in

Windows 2000 and continues in Windows Server 2003 is

the ability to delegate administration. What this means isthat you can design an O-U structure, place Active Directory

Objects such as users and computers, and then give control

of this O-U to an administrator in your group.

7/27/2019 cis341_week09_ch08

5/7

7/27/2019 cis341_week09_ch08

6/7

Slide 11 Designing

theAppropriate

Group

Strategy for

AccessingResources

Groups organize users, computers, and other objects and

make them easier to manage. There are three group scopesthat exist in Windows Server 2003:

Global groups, which is used to group users or computers

that are members of the same domain.

Domain local groups, this type of group is used to secureresources that exist on servers that reside in the same

domain as the group does;And 3. universal groups, this type of group can contain any

user or group from any domain in an entire forest. They can

be used to regulate access to any resource on any domain.

Next Slide:

Slide 12 Designing aPermission

Structure for

Data

Designing a permission structure for data can be achallenging task and should be thought out carefully,

because rectifying it later and making changes can be a

complicated and very time-consuming task. For this reason,a well thought out design plan should rely on Microsoft

recommended best practices for permission structure.

The Microsoft strategy for this kind of structure is known as

the A-G-D-LP, which is a strategy you should be familiar

with from the core 4 requirements. The A-G-D-L-P calls

for:Adding domain users to global groups;

Adding global groups to Domain Local Groups;

And 3. Assigning domain local groups Permissions on

resources.

With the introduction of Universal groups in Windows 2000and Windows Server 2003, you can now expand this best

practice strategy to accommodate the new group type. The

new strategy is known as the A-G-U-D-L-P and calls for:

Adding domain users to Global groups;Adding global groups to Universal groups;

Adding universal groups to Domain Local groups;

And 4. Assigning domain local groups Permissions onresources.

Next Slide:

7/27/2019 cis341_week09_ch08

7/7

Slide 13 Summary We have reached the end of this lesson. Lets take a look at

what we have covered.

Discussed first was Designing an Access Control Strategy

for Directory Services. A proper access control strategy

begins with identifying the methods by which it will beenforced. The access control strategy can be divided into

two separate parts: Access and Control. What you need isthe perfect blend between both of them for your networking

environment.

This followed with a discussion on Establishing PasswordSecurity. Establishing a strong account security policy is

crucial, because the user account is the single most

important entity in Active Directory that links to all rightsand permissions on the network.

Next, we discussed Analyzing Auditing Data. Once youveconfigured your auditing policy, you need to be able to

analyze it and make sense of it all. Windows provides a

central repository where auditing and other events are storedfor later analysis and troubleshooting.

We concluded the lesson with a discussion on Designing a

Permission Structure for Data. Designing a permissionstructure for data can be a challenging task and should be

thought out carefully, because rectifying it later and making

changes can be a complicated and very time-consumingtask. For this reason, a well thought out design plan should

rely on Microsoft recommended best practices for

permission structure.