7/31/2019 70-640_Lesson06_PPT_041009.45121912

1/31

Security Planning and

Administrative DelegationLesson 6

7/31/2019 70-640_Lesson06_PPT_041009.45121912

2/31

Skills Matrix

Technology Skill Objective Domain Objective #

Creating an OU Structure Maintain Active Directory

accounts

4.2

7/31/2019 70-640_Lesson06_PPT_041009.45121912

3/31

Naming Standard

User logon names will typically follow acorporate naming standard set forth duringthe planning stages of an Active Directory

deployment. You will usually create a naming standardsdocument to outline the rules for naming allActive Directory objects.

This document will specify conventionssuch as the number and type of charactersto use when creating a new object in ActiveDirectory.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

4/31

Strong Passwords

Since user names are often easilyguessed, it is essential to have strong

passwords:

At least eight characters in length.

Contains uppercase and lowercase letters,

numbers, and non-alphabetic characters.

At least one character from each of theprevious character types.

Differs significantly from other previously

used passwords.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

5/31

Strong Passwords

A strong password should not be left blank orcontain any of the following information:

Your user name, real name, or companyname.

A complete dictionary word.

Windows passwords for Windows Server2008, Windows Vista, Windows Server 2003

and Microsoft Windows XP clients can be upto 127 characters in length.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

6/31

Strong Passwords

If you use group policies to enforcestrong passwords:

Must be at least seven characters.

Must contain three of the four types

(uppercase and lowercase letters,

numbers, and non-alphabetic

characters).

Cannot contain your user name or real

name.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

7/31

Authentication

Authentication is the process of provingwho you are.

There are multiple methods of

authentication: What you know (password or PIN).

Who you are (retinal scan or thumb print).

What you have (smart card). Some of these methods can be used so

that users no longer need to rememberpasswords.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

8/31

Smart Card

Smart cards are cards about the size of acredit card.

Login information can be stored on the

smart card, making it difficult for anyoneexcept the intended user to use or accessit.

Security operations, such as cryptographicfunctions, are performed on the smart carditself rather than on the network server orlocal computer. This provides a higher

level of security for sensitive transactions.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

9/31

Implementing Smart Cards for Authentication

Smart cards can be used from remotelocations, such as a home office, to

provide authentication services.

The risk of remote attacks using ausername and password is significantly

reduced by smart cards.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

10/31

Implementing Smart Cards for Authentication

Requires ActiveDirectory

Certificate

Services. Smart cards for

authentication

must be enabled inthe user account

properties.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

11/31

Using Run As from the GUI

From the Start button, navigate to theapplication you wish to run.

Press and hold the Shift key and right-click

the desired application.

Select the Run as administrator option.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

12/31

Administrative Accounts

You should not use an account possessingadministrative privileges for daily tasks, such asbrowsing the Web or monitoring email.

Administrative accounts should be reserved for tasks

that require administrator privileges. Using the Administrator account or an account that is

a member of Domain Admins, Enterprise Admins, orSchema Admins for daily tasks offers an opportunityfor hackers to attack your network and potentially

cause severe and irreversible damage. Limiting the use of the Administrator account for daily

tasks, such as email, application use, and access tothe Internet, reduces the potential for this type of

damage.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

13/31

Run as Administrator and Runas Command

The recommended solution for reducing therisks associated with the Administrator accountis to use a standard user account and the Runas administratoroption in the GUI or the runascommand-line tool when it is necessary toperform an administrative task. The Run as administrator or runas option allows

you to maintain your primary logon as a standarduser and creates a secondary session for access

to an administrative tool. During the use of a program or tool opened usingRun as administrator or runas, youradministrative credentials are valid only until youclose that program or tool.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

14/31

Run as Administrator and Runas Command

Run as administrator and runas requirethe Secondary Logonservice to berunning.

The runas command-line tool is not limitedto administrator accounts. You can use

runas to log on with separate credentials

from any account. This can be a valuabletool in testing resource access

permissions.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

15/31

Using Run As from the GUI

If you are using User Account Control, you maybe prompted for administrative credentials whenperforming system tasks

You can access the Run as Administrator option

if you by find the program you want to start fromthe Start button, and press and hold the Shiftkey, right-click the desired application, andselect the Run as administrator option.

You can also use the runas command, such as:runas /user:lucernepublishing.com\domainadminmmc %windir%\system32\dnsmgmt.msc

7/31/2019 70-640_Lesson06_PPT_041009.45121912

16/31

Organizational Units

Can be created to represent yourcompanys functional or geographical

model.

Can be used to delegate administrativecontrol over a containers resources to

lower-level or branch office administrators.

Can be used to apply consistentconfiguration to client computers, users

and member servers.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

17/31

Creating an Organizational Unit

To create an organizational unit, youwould use the Active Directory Users and

Computers console.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

18/31

Delegation of Control

Creating OUs to support a decentralizedadministration model gives you the abilityto allow others to manage portions of your

Active Directory structure, without affectingthe rest of the structure.

Delegating authority at a site level affectsall domains and users within the site.

Delegating authority at a domain levelaffects the entire domain.

Delegating authority at the OU level affectsonly that OU and its hierarchy.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

19/31

Delegation of Control

Using the Delegation of Control Wizard,you utilize a simple interface to delegate

permissions for domains, OUs, or

containers. The interface allows you to specify to

which users or groups you want to

delegate management permissions and thespecific tasks you wish them to be able to

perform.

You can delegate predefined tasks, or you

can create custom tasks that allow you to

7/31/2019 70-640_Lesson06_PPT_041009.45121912

20/31

Delegating Administrative Control of an OU

Open Active Directory Users andComputers.

Right-click the object to which you wish to

delegate control, and click DelegateControl.

Click Next on the Welcome to the

Delegation of Control Wizard page.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

21/31

Delegating Administrative Control of an OU

7/31/2019 70-640_Lesson06_PPT_041009.45121912

22/31

Delegating Administrative Control of an OU

7/31/2019 70-640_Lesson06_PPT_041009.45121912

23/31

Delegating Administrative Control of an OU

7/31/2019 70-640_Lesson06_PPT_041009.45121912

24/31

Verifying and Removing AD Permissions

Must Enable Advanced Features in ActiveDirectory Users and Computers.

Found in the View menu.

Then right-click an OU or an account andselect Properties.

Select the Security tab.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

25/31

Verifying and Removing AD Permissions

7/31/2019 70-640_Lesson06_PPT_041009.45121912

26/31

Moving Objects within Active Directory

Windows Server 2008 allows you to restructureyour Active Directory database by moving leafobjects such as users, computers, and printersbetween OUs, in addition to moving OUs into

other OUs to create a nested structure. When you move objects between OUs in a

domain, permissions that are assigned directlyto objects remain the same.

Objects inherit permissions from the new OU. All permissions that were inherited previously

from the old OU no longer affect the objects.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

27/31

Moving Objects within Active Directory

Windows Server 2008 provides twomethods for moving objects between OUsin the same domain:

Drag-and-dropwithin Active DirectoryUsers and Computers.

If you wish to move multiple objects, pressand hold the Ctrl key while selecting the

objects you wish to move. Use the Move menu option within Active

Directory Users and Computers.

You can also use the dsmove command.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

28/31

Summary

Creating a naming standards documentwill assist in planning a consistent Active

Directory environment that is easier to

manage. Securing user accounts includes

educating users to the risks of attacks,

implementing a strong password policy,and possibly introducing a smart card

infrastructure into your environment.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

29/31

Summary

As part of creating a secure environment, youshould create standard user accounts for

administrators and direct them to use Run as

administrator or runas when performing

administrative tasks.

When planning your OU structure, consider the

business function, organizational structure, and

administrative goals for your network. Delegation of administrative tasks should be a

consideration in your plan.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

30/31

Summary

Administrative tasks can be delegated fora domain, OU, or container to achieve a

decentralized management structure.

Permissions can be delegated using theDelegation of Control Wizard.

Verification or removal of these

permissions must be achieved through theSecurity tab in the Properties dialog box of

the affected container.

7/31/2019 70-640_Lesson06_PPT_041009.45121912

31/31

Summary

Moving objects between containers andOUs within a domain can be achieved by

using the Move menu command, the drag-

and-drop feature in Active Directory Usersand Computers, or the dsmove utility from

a command line.