Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | stephanie-wilcox |
View: | 216 times |
Download: | 0 times |
of 31
7/31/2019 70-640_Lesson06_PPT_041009.45121912
1/31
Security Planning and
Administrative DelegationLesson 6
7/31/2019 70-640_Lesson06_PPT_041009.45121912
2/31
Skills Matrix
Technology Skill Objective Domain Objective #
Creating an OU Structure Maintain Active Directory
accounts
4.2
7/31/2019 70-640_Lesson06_PPT_041009.45121912
3/31
Naming Standard
User logon names will typically follow acorporate naming standard set forth duringthe planning stages of an Active Directory
deployment. You will usually create a naming standardsdocument to outline the rules for naming allActive Directory objects.
This document will specify conventionssuch as the number and type of charactersto use when creating a new object in ActiveDirectory.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
4/31
Strong Passwords
Since user names are often easilyguessed, it is essential to have strong
passwords:
At least eight characters in length.
Contains uppercase and lowercase letters,
numbers, and non-alphabetic characters.
At least one character from each of theprevious character types.
Differs significantly from other previously
used passwords.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
5/31
Strong Passwords
A strong password should not be left blank orcontain any of the following information:
Your user name, real name, or companyname.
A complete dictionary word.
Windows passwords for Windows Server2008, Windows Vista, Windows Server 2003
and Microsoft Windows XP clients can be upto 127 characters in length.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
6/31
Strong Passwords
If you use group policies to enforcestrong passwords:
Must be at least seven characters.
Must contain three of the four types
(uppercase and lowercase letters,
numbers, and non-alphabetic
characters).
Cannot contain your user name or real
name.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
7/31
Authentication
Authentication is the process of provingwho you are.
There are multiple methods of
authentication: What you know (password or PIN).
Who you are (retinal scan or thumb print).
What you have (smart card). Some of these methods can be used so
that users no longer need to rememberpasswords.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
8/31
Smart Card
Smart cards are cards about the size of acredit card.
Login information can be stored on the
smart card, making it difficult for anyoneexcept the intended user to use or accessit.
Security operations, such as cryptographicfunctions, are performed on the smart carditself rather than on the network server orlocal computer. This provides a higher
level of security for sensitive transactions.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
9/31
Implementing Smart Cards for Authentication
Smart cards can be used from remotelocations, such as a home office, to
provide authentication services.
The risk of remote attacks using ausername and password is significantly
reduced by smart cards.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
10/31
Implementing Smart Cards for Authentication
Requires ActiveDirectory
Certificate
Services. Smart cards for
authentication
must be enabled inthe user account
properties.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
11/31
Using Run As from the GUI
From the Start button, navigate to theapplication you wish to run.
Press and hold the Shift key and right-click
the desired application.
Select the Run as administrator option.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
12/31
Administrative Accounts
You should not use an account possessingadministrative privileges for daily tasks, such asbrowsing the Web or monitoring email.
Administrative accounts should be reserved for tasks
that require administrator privileges. Using the Administrator account or an account that is
a member of Domain Admins, Enterprise Admins, orSchema Admins for daily tasks offers an opportunityfor hackers to attack your network and potentially
cause severe and irreversible damage. Limiting the use of the Administrator account for daily
tasks, such as email, application use, and access tothe Internet, reduces the potential for this type of
damage.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
13/31
Run as Administrator and Runas Command
The recommended solution for reducing therisks associated with the Administrator accountis to use a standard user account and the Runas administratoroption in the GUI or the runascommand-line tool when it is necessary toperform an administrative task. The Run as administrator or runas option allows
you to maintain your primary logon as a standarduser and creates a secondary session for access
to an administrative tool. During the use of a program or tool opened usingRun as administrator or runas, youradministrative credentials are valid only until youclose that program or tool.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
14/31
Run as Administrator and Runas Command
Run as administrator and runas requirethe Secondary Logonservice to berunning.
The runas command-line tool is not limitedto administrator accounts. You can use
runas to log on with separate credentials
from any account. This can be a valuabletool in testing resource access
permissions.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
15/31
Using Run As from the GUI
If you are using User Account Control, you maybe prompted for administrative credentials whenperforming system tasks
You can access the Run as Administrator option
if you by find the program you want to start fromthe Start button, and press and hold the Shiftkey, right-click the desired application, andselect the Run as administrator option.
You can also use the runas command, such as:runas /user:lucernepublishing.com\domainadminmmc %windir%\system32\dnsmgmt.msc
7/31/2019 70-640_Lesson06_PPT_041009.45121912
16/31
Organizational Units
Can be created to represent yourcompanys functional or geographical
model.
Can be used to delegate administrativecontrol over a containers resources to
lower-level or branch office administrators.
Can be used to apply consistentconfiguration to client computers, users
and member servers.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
17/31
Creating an Organizational Unit
To create an organizational unit, youwould use the Active Directory Users and
Computers console.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
18/31
Delegation of Control
Creating OUs to support a decentralizedadministration model gives you the abilityto allow others to manage portions of your
Active Directory structure, without affectingthe rest of the structure.
Delegating authority at a site level affectsall domains and users within the site.
Delegating authority at a domain levelaffects the entire domain.
Delegating authority at the OU level affectsonly that OU and its hierarchy.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
19/31
Delegation of Control
Using the Delegation of Control Wizard,you utilize a simple interface to delegate
permissions for domains, OUs, or
containers. The interface allows you to specify to
which users or groups you want to
delegate management permissions and thespecific tasks you wish them to be able to
perform.
You can delegate predefined tasks, or you
can create custom tasks that allow you to
7/31/2019 70-640_Lesson06_PPT_041009.45121912
20/31
Delegating Administrative Control of an OU
Open Active Directory Users andComputers.
Right-click the object to which you wish to
delegate control, and click DelegateControl.
Click Next on the Welcome to the
Delegation of Control Wizard page.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
21/31
Delegating Administrative Control of an OU
7/31/2019 70-640_Lesson06_PPT_041009.45121912
22/31
Delegating Administrative Control of an OU
7/31/2019 70-640_Lesson06_PPT_041009.45121912
23/31
Delegating Administrative Control of an OU
7/31/2019 70-640_Lesson06_PPT_041009.45121912
24/31
Verifying and Removing AD Permissions
Must Enable Advanced Features in ActiveDirectory Users and Computers.
Found in the View menu.
Then right-click an OU or an account andselect Properties.
Select the Security tab.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
25/31
Verifying and Removing AD Permissions
7/31/2019 70-640_Lesson06_PPT_041009.45121912
26/31
Moving Objects within Active Directory
Windows Server 2008 allows you to restructureyour Active Directory database by moving leafobjects such as users, computers, and printersbetween OUs, in addition to moving OUs into
other OUs to create a nested structure. When you move objects between OUs in a
domain, permissions that are assigned directlyto objects remain the same.
Objects inherit permissions from the new OU. All permissions that were inherited previously
from the old OU no longer affect the objects.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
27/31
Moving Objects within Active Directory
Windows Server 2008 provides twomethods for moving objects between OUsin the same domain:
Drag-and-dropwithin Active DirectoryUsers and Computers.
If you wish to move multiple objects, pressand hold the Ctrl key while selecting the
objects you wish to move. Use the Move menu option within Active
Directory Users and Computers.
You can also use the dsmove command.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
28/31
Summary
Creating a naming standards documentwill assist in planning a consistent Active
Directory environment that is easier to
manage. Securing user accounts includes
educating users to the risks of attacks,
implementing a strong password policy,and possibly introducing a smart card
infrastructure into your environment.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
29/31
Summary
As part of creating a secure environment, youshould create standard user accounts for
administrators and direct them to use Run as
administrator or runas when performing
administrative tasks.
When planning your OU structure, consider the
business function, organizational structure, and
administrative goals for your network. Delegation of administrative tasks should be a
consideration in your plan.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
30/31
Summary
Administrative tasks can be delegated fora domain, OU, or container to achieve a
decentralized management structure.
Permissions can be delegated using theDelegation of Control Wizard.
Verification or removal of these
permissions must be achieved through theSecurity tab in the Properties dialog box of
the affected container.
7/31/2019 70-640_Lesson06_PPT_041009.45121912
31/31
Summary
Moving objects between containers andOUs within a domain can be achieved by
using the Move menu command, the drag-
and-drop feature in Active Directory Usersand Computers, or the dsmove utility from
a command line.