cis341_week09_ch08
Transcript of cis341_week09_ch08
-
7/27/2019 cis341_week09_ch08
1/7
CIS 288 WEEK 9: Securing Active Directory
Slide 1 Introduction Welcome to week 9 of C-I-S 288: Security Design in aWindows 2003 Environment.
In the previous lesson we discussed securing V-P-N andExtranet Communications.
In this week we will discuss securing active directory.
Next Slide:
Slide 2 Objectives When you complete this lesson you will be able to:
Design an access control strategy for directory services;
Establish account and password requirements for security;
Analyze auditing requirements;Create a delegation strategy;
Design the appropriate group strategy for accessing
resources; AndDesign a permission structure for directory service objects.
Next Slide:
Slide 3 Designingan Access
Control
Strategy forDirectory
Services
A proper access control strategy begins with identifying themethods by which it will be enforced. There are several
approaches you can take when designing security; your first
step should be in identifying which one fits yourorganizations needs, and designing the strategy
accordingly. You will start by breaking down the access
control strategy into two parts: Access and Control.
The access strategy calls for granting fairly open access to
files and resources and then locking it down according to
need. Control is the strategy that gives priority to securityand tends to start off by locking down resources to a
maximum and then relaxing security gradually as the need
arises.
So, which design strategy is right? There is no perfect
answer for all situations; what you need is the perfect blend
between access and control for your environment. Youdont want to expose your resources unnecessarily, but you
also dont want to lock down to the point where your design
is unusable and impractical.
-
7/27/2019 cis341_week09_ch08
2/7
Next Slide:
Slide 4 AnalyzingRisks to
DirectoryServices
Todays networks are so diversified and large that it isimperative to understand the vulnerabilities that an attacker
can use to create risks within your directory servicesarchitecture. One thing you should always keep in mind is
that, with user accounts, usernames are easy to guessbecause they are usually a predictable sequence like First
Initial Last Name or some other similar combination.
Now, if an attacker does figure out a legitimate username,
this still leaves him or her with the dilemma of figuring out
or cracking the password. In other words, the security toyour entire network is one password away from being
broken.
Even though you can implement complex passwords for
your network, if you do not obtain buy-in from your
management staff, youll notice that they will resist these
measures, and might ask you to relax the complexityrequirements. This leads us to the least permissions, in that
you should always make sure that you dont give a user
account more rights and permissions than the user needsaccess to in order to go about his or her daily job.
You should also be very vigilant about disabling or deleting
accounts of users who have either left the company or havebeen on vacation for a long time. You want to make sure
that you have a security policy in place where your Human
Resources Department always informs you about employeeturnover, so that you dont allow a malicious user time to
log in with his or her account and wreak havoc on the files
and folders he or she has access to.
-
7/27/2019 cis341_week09_ch08
3/7
Next Slide:
Slide 5 EstablishingAccount
SecurityPolicies
Establishing a strong account security policy is crucial,because the user account is the single most important entity
in Active Directory that links to all rights and permissionson the network. Windows 2000 and Windows Server 2003
allows us to implement security on accounts via GroupPolicy.
By configuring the different user rights, you can grantaccess to users to perform certain functions, or you can
forbid users from completing a certain task.
Next Slide:
Slide 6 Establishing
Password
Security
Windows 2000 and Windows Server 2003 both offer
settings enforced through Group Policy that allow you to
configure tightened password security within yourorganization. You can create these settings to take effect for
all users by configuring the Password policy at the root of
the domain. The password policy has the followingconfigurable settings:
Enforce password history; maximum password age;minimum password age; minimum password length;
password must meet complexity requirements; and store
passwords using reversible encryption.
If the password must meet complexity requirements
policy is enabled, it will force the user to select a password
based on certain criteria.
Next Slide:
-
7/27/2019 cis341_week09_ch08
4/7
Slide 7 Establishing
PasswordSecurity
(continued)
An Account lockout policy offers you an additional level of
control and security by controlling how, when, and why anaccount can be locked out. The idea behind account lockout
is to protect your network against someone trying to crack
your passwords by continuously trying to guess them, or by
running a password cracker against your account database.Account lockout settings can deter a hacker by locking the
account and preventing any further attempts to guesspasswords.
The account lockout policy offers the following
configurable settings: Account lockout duration, accountlockout threshold; and reset account lockout counter after.
Next Slide:
Slide 8 Analyzing
AuditingData
Once youve configured your auditing policy, you need to
be able to analyze it and make sense of it all. Windowsprovides a central repository where auditing and other
events are stored for later analysis and troubleshooting.
This repository is the Event Viewer, which you can get to
either by right-clicking My Computer and going to Manage,
or simply by going to Start Run and typing Event V-W-R.
The Event Viewer has several different logs, based on what
kinds of services are configured on the server you are trying
to access. What you are most interested in at this point is
the Security log, where all your auditing settings andconfiguration will be stored. With the Event Viewer, you
are able to:Sort events by type, time, and other parameters;
Filter events;
View advanced event information;
Sort events;Export the log file to a dot-E-V-T, dot-T-X-T, or dot-C-S-V
file; And
Connect to a remote computers Event Viewer.
Next Slide:
Slide 9 Creating a
Delegation
Strategy
One of the best enhancements that was introduced in
Windows 2000 and continues in Windows Server 2003 is
the ability to delegate administration. What this means isthat you can design an O-U structure, place Active Directory
Objects such as users and computers, and then give control
of this O-U to an administrator in your group.
-
7/27/2019 cis341_week09_ch08
5/7
-
7/27/2019 cis341_week09_ch08
6/7
Slide 11 Designing
theAppropriate
Group
Strategy for
AccessingResources
Groups organize users, computers, and other objects and
make them easier to manage. There are three group scopesthat exist in Windows Server 2003:
Global groups, which is used to group users or computers
that are members of the same domain.
Domain local groups, this type of group is used to secureresources that exist on servers that reside in the same
domain as the group does;And 3. universal groups, this type of group can contain any
user or group from any domain in an entire forest. They can
be used to regulate access to any resource on any domain.
Next Slide:
Slide 12 Designing aPermission
Structure for
Data
Designing a permission structure for data can be achallenging task and should be thought out carefully,
because rectifying it later and making changes can be a
complicated and very time-consuming task. For this reason,a well thought out design plan should rely on Microsoft
recommended best practices for permission structure.
The Microsoft strategy for this kind of structure is known as
the A-G-D-LP, which is a strategy you should be familiar
with from the core 4 requirements. The A-G-D-L-P calls
for:Adding domain users to global groups;
Adding global groups to Domain Local Groups;
And 3. Assigning domain local groups Permissions on
resources.
With the introduction of Universal groups in Windows 2000and Windows Server 2003, you can now expand this best
practice strategy to accommodate the new group type. The
new strategy is known as the A-G-U-D-L-P and calls for:
Adding domain users to Global groups;Adding global groups to Universal groups;
Adding universal groups to Domain Local groups;
And 4. Assigning domain local groups Permissions onresources.
Next Slide:
-
7/27/2019 cis341_week09_ch08
7/7
Slide 13 Summary We have reached the end of this lesson. Lets take a look at
what we have covered.
Discussed first was Designing an Access Control Strategy
for Directory Services. A proper access control strategy
begins with identifying the methods by which it will beenforced. The access control strategy can be divided into
two separate parts: Access and Control. What you need isthe perfect blend between both of them for your networking
environment.
This followed with a discussion on Establishing PasswordSecurity. Establishing a strong account security policy is
crucial, because the user account is the single most
important entity in Active Directory that links to all rightsand permissions on the network.
Next, we discussed Analyzing Auditing Data. Once youveconfigured your auditing policy, you need to be able to
analyze it and make sense of it all. Windows provides a
central repository where auditing and other events are storedfor later analysis and troubleshooting.
We concluded the lesson with a discussion on Designing a
Permission Structure for Data. Designing a permissionstructure for data can be a challenging task and should be
thought out carefully, because rectifying it later and making
changes can be a complicated and very time-consumingtask. For this reason, a well thought out design plan should
rely on Microsoft recommended best practices for
permission structure.