Security Planning and Security Planning and Administrative Delegation Administrative Delegation Lesson 6
Transcript
1. Security Planning and Administrative Delegation
Lesson 6
2. Skills Matrix Technology Skill Objective Domain Objective #
Creating an OU Structure Maintain Active Directory accounts
4.2
3. Naming Standard
User logon names will typically follow a corporate naming
standard set forth during the planning stages of an Active
Directory deployment.
You will usually create a naming standards document to outline
the rules for naming all Active Directory objects.
This document will specify conventions such as the number and
type of characters to use when creating a new object in Active
Directory.
4. Strong Passwords
Since user names are often easily guessed, it is essential to
have strong passwords:
At least eight characters in length.
Contains uppercase and lowercase letters, numbers, and
non-alphabetic characters.
At least one character from each of the previous character
types.
Differs significantly from other previously used
passwords.
5. Strong Passwords
A strong password should not be left blank or contain any of
the following information:
Your user name, real name, or company name.
A complete dictionary word.
Windows passwords for Windows Server 2008, Windows Vista,
Windows Server 2003 and Microsoft Windows XP clients can be up to
127 characters in length.
6. Strong Passwords
If you use group policies to enforce strong passwords:
Must be at least seven characters.
Must contain three of the four types (uppercase and lowercase
letters, numbers, and non-alphabetic characters).
Cannot contain your user name or real name.
7. Authentication
Authentication is the process of proving who you are.
There are multiple methods of authentication:
What you know (password or PIN).
Who you are (retinal scan or thumb print).
What you have (smart card).
Some of these methods can be used so that users no longer need
to remember passwords.
8. Smart Card
Smart cards are cards about the size of a credit card.
Login information can be stored on the smart card, making it
difficult for anyone except the intended user to use or access
it.
Security operations, such as cryptographic functions, are
performed on the smart card itself rather than on the network
server or local computer. This provides a higher level of security
for sensitive transactions.
9. Implementing Smart Cards for Authentication
Smart cards can be used from remote locations, such as a home
office, to provide authentication services.
The risk of remote attacks using a username and password is
significantly reduced by smart cards.
10. Implementing Smart Cards for Authentication
Requires Active Directory Certificate Services.
Smart cards for authentication must be enabled in the user
account properties.
11. Using Run As from the GUI
From the Start button, navigate to the application you wish to
run.
Press and hold the Shift key and right-click the desired
application.
Select the Run as administrator option.
12. Administrative Accounts
You should not use an account possessing administrative
privileges for daily tasks, such as browsing the Web or monitoring
email.
Administrative accounts should be reserved for tasks that
require administrator privileges.
Using the Administrator account or an account that is a member
of Domain Admins, Enterprise Admins, or Schema Admins for daily
tasks offers an opportunity for hackers to attack your network and
potentially cause severe and irreversible damage.
Limiting the use of the Administrator account for daily tasks,
such as email, application use, and access to the Internet, reduces
the potential for this type of damage.
13. Run as Administrator and Runas Command
The recommended solution for reducing the risks associated with
the Administrator account is to use a standard user account and the
Run as administrator option in the GUI or the runas command-line
tool when it is necessary to perform an administrative task.
The Run as administrator or runas option allows you to maintain
your primary logon as a standard user and creates a secondary
session for access to an administrative tool.
During the use of a program or tool opened using Run as
administrator or runas, your administrative credentials are valid
only until you close that program or tool.
14. Run as Administrator and Runas Command
Run as administrator and runas require the Secondary Logon
service to be running.
The runas command-line tool is not limited to administrator
accounts. You can use runas to log on with separate credentials
from any account. This can be a valuable tool in testing resource
access permissions.
15. Using Run As from the GUI
If you are using User Account Control, you may be prompted for
administrative credentials when performing system tasks
You can access the Run as Administrator option if you by find
the program you want to start from the Start button, and press and
hold the Shift key, right-click the desired application, and select
the Run as administrator option.
Can be created to represent your companys functional or
geographical model.
Can be used to delegate administrative control over a
containers resources to lower-level or branch office
administrators.
Can be used to apply consistent configuration to client
computers, users and member servers.
17. Creating an Organizational Unit
To create an organizational unit, you would use the Active
Directory Users and Computers console.
18. Delegation of Control
Creating OUs to support a decentralized administration model
gives you the ability to allow others to manage portions of your
Active Directory structure, without affecting the rest of the
structure.
Delegating authority at a site level affects all domains and
users within the site.
Delegating authority at a domain level affects the entire
domain.
Delegating authority at the OU level affects only that OU and
its hierarchy.
19. Delegation of Control
Using the Delegation of Control Wizard , you utilize a simple
interface to delegate permissions for domains, OUs, or
containers.
The interface allows you to specify to which users or groups
you want to delegate management permissions and the specific tasks
you wish them to be able to perform.
You can delegate predefined tasks, or you can create custom
tasks that allow you to be more specific.
20. Delegating Administrative Control of an OU
Open Active Directory Users and Computers.
Right-click the object to which you wish to delegate control,
and click Delegate Control.
Click Next on the Welcome to the Delegation of Control Wizard
page.
21. Delegating Administrative Control of an OU
22. Delegating Administrative Control of an OU
23. Delegating Administrative Control of an OU
24. Verifying and Removing AD Permissions
Must Enable Advanced Features in Active Directory Users and
Computers.
Found in the View menu.
Then right-click an OU or an account and select
Properties.
Select the Security tab.
25. Verifying and Removing AD Permissions
26. Moving Objects within Active Directory
Windows Server 2008 allows you to restructure your Active
Directory database by moving leaf objects such as users, computers,
and printers between OUs, in addition to moving OUs into other OUs
to create a nested structure.
When you move objects between OUs in a domain, permissions that
are assigned directly to objects remain the same.
Objects inherit permissions from the new OU.
All permissions that were inherited previously from the old OU
no longer affect the objects.
27. Moving Objects within Active Directory
Windows Server 2008 provides two methods for moving objects
between OUs in the same domain:
Drag-and-drop within Active Directory Users and Computers.
If you wish to move multiple objects, press and hold the Ctrl
key while selecting the objects you wish to move.
Use the Move menu option within Active Directory Users and
Computers.
You can also use the dsmove command.
28. Summary
Creating a naming standards document will assist in planning a
consistent Active Directory environment that is easier to
manage.
Securing user accounts includes educating users to the risks of
attacks, implementing a strong password policy, and possibly
introducing a smart card infrastructure into your environment.
29. Summary
As part of creating a secure environment, you should create
standard user accounts for administrators and direct them to use
Run as administrator or runas when performing administrative
tasks.
When planning your OU structure, consider the business
function, organizational structure, and administrative goals for
your network.
Delegation of administrative tasks should be a consideration in
your plan.
30. Summary
Administrative tasks can be delegated for a domain, OU, or
container to achieve a decentralized management structure.
Permissions can be delegated using the Delegation of Control
Wizard.
Verification or removal of these permissions must be achieved
through the Security tab in the Properties dialog box of the
affected container.
31. Summary
Moving objects between containers and OUs within a domain can
be achieved by using the Move menu command, the drag-and-drop
feature in Active Directory Users and Computers, or the dsmove
utility from a command line.