for active directorydownload.microsoft.com/download/e/7/a/e7ae2f7c-0112-405d... · 2018-10-16 ·...

Role‐Based ManagementDan Holme – [email protected] April 2011

© 2011 Intelliem, Inc. All rights reserved. DO NOT REPRODUCE OR DISTRIBUTE WITHOUT THE EXPRESS WRITTEN PERMISSION OF INTELLIEM, INC.

Microsoft, Windows, Office, SharePoint, and other product names are or may be registered trademarks and/or trademarks of Microsoft Corporation in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Intelliem, Inc. as of the date of this presentation. Because Intelliem must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Intelliem, and Intelliem cannot guarantee the accuracy of any information provided after the date of this presentation. INTELLIEM MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. 1

Role‐Based Management Extreme Makeoverfor Active Directory

Dan Holme, MVP, SharePointAuthor, Windows Administration Resource Kit (Microsoft Press)Trainer & Consultant, Microsoft Technologies Consultant, NBC OlympicsContributing Editor, Windows IT Pro magazine (www.windowsitpro.com)

Chief SharePoint Evangelist, AvePointFounding Partner, Aptillon (www.aptillon.com)

@[email protected]: http://bit.ly/gPH8hn (Case Sensitive)

ROLE‐BASED MANAGEMENTQuestions: “What can Joe get to?” and “Who has access to the budget?”

Answers: “Umm….”




The Role‐based Lifecycle Of Penny Xavier

4




5

6




Role‐based Management

Categorize a user (define its “roles”)

Automatically enable management of the userResource access

Logon rights & system privileges

Software distribution

User experience (e.g. mapped drives)

User data & settings (redirected folders, profiles)

Email distribution lists

Security & update configuration

Role‐based Management

Who can do what and where?Role group

Resource access rule groupA discreet access level (e.g. permission)

For a scope of management (e.g. collection of resources)




The Grand Assumption Of RBM

Organizational roles drive the requirementsfor what it takes to achieve the goals of the role

Roles are more persistent than assets(human or device)

Today Employee A performs Job A. Tomorrow Employee B performs Job A.

Today Employee A performs Roles A & B.Tomorrow those roles are performed by two employees.

Today: Employee A = Role A, Employee B = Role B.Tomorrow Employee A performs Roles A and B.

Even in small organizations!

The Payoff Of RBM

Dynamic, agile service

Facilitate managementManual

Automated & provisioned

Increase consistency security

Simplify reporting, auditing, and compliance“What can James get to?”

“Who can edit the Budget files?”




The Doubts About RBM

OK, this sounds great, but how do you do it?Details later in this presentation

My enterprise is more complicated than…It’s not. This works. This is a simple demo but it scales

If this is all about groups, won’t you end up with a lot of groups?

Yes, but after analysis, you’ll be glad you did

How many roles should a user belong to?It depends: typically a handful to a dozen or more direct roles

Other roles inherited

What's Necessary

DataActive Directory: first‐class enterprise database

Business LogicImplementation & technology is easy

Nest of users & computers into role groups

Nest of role groups into rule groups

Implement access, privilege, configuration

Business is notlots of business requirements & process analysis

PresentationVery weak native toolset (e.g. ADUC)

Need custom scripts, tools and applications




WINDOWS AND GROUPS

14

Identity Access Management

Access Management Without Groups

Resource




15

Groups Add Manageability

Identity GroupAccess Management

Resource

16

Groups Add Scalability

Identity GroupAccess Management

Resource




17

One Type of Group Is Not Enough

Identity Group Access Management Resource

18

Can You Tell Me Who Can Do What?




19

Role Groups and Rule Groups

Identity Role Group Rule GroupAccess Management

Resource

20

Windows Group Scopes

Identity AccessGlobal Domain LocalIdentity Role Group Rule Group

Access ManagementResource




Role And Rule‐based Management

Nest user role management groupse.g. “Sales”

Into resource access rule groupsthat define “who has capability for folder(s)”

ACL_Resource_Capabilitye.g. ACL_Sales Folders_Read

Resource = one or more folders on one or more servers

Assign permissions to implement access level

Based on business logic

Users Role Rule Resource

Nesting In An RBM Enterprise

Roles into rule group

Users into rule groupBarometer: too many individual users in a rule group? Perhaps they share a common role that needs to be defined.

Roles into role groupAccounting + Treasury + … Finance

Finance Mangers + Sales Managers + … Departmental Managers

Computers into role (or management) groupType, location, function




ROLE GROUPS

Role Groups

Define users / computersBusiness‐driven criteria

Job / role in company

Business unit / function / department / team

Location (site)

Seniority

Will typically be very cleare.g. you are an IT Manager, in Orlando, etc.




Role Groups

Roles’ membership should be highly trustedRole groups will be assigned resources, etc. by resource owners

Roles should be driven by authoritative sourcesWhen possible

Dynamic role maintenance

HR database designation of certain user roles

Computer inventory designation of roles for workstations

Role Groups

Implement as global security groupsCan contain users & computers from same domain

Use universal groups to create role groups containing users & computers from more than one domain in the same forest

Use domain local groups for role groups only as a rare exception (e.g. role needs to include users from a trusted external domain). You can use that role group in scoping management of anything except GPOs, which wouldn’t apply to users from an external domain anyway.

MembershipUsers & computers

Typically a role will have users or computers

Some roles have both users and computers (“location”)

Other rolesRole group nesting will reflect your organization chart




Groups OU Example

User

Computer

Location Users & Computers

Sub‐OUsAutomatically defined roles

Scripts/tools populate these groups’ memberships

Normal administrators can’t modify member property

Manually defined rolesDelegated to a limited number of trained, trusted individuals to administer roles

Provisioning workflows & tools in place

If enforcing provisioned management, delegate provisioning service account Allow:Write:Members

Role Groups Naming Conventions

Use prefixes for specific types of rolesCOMP_descriptor defines roles of computers

e.g. COMP_Conference Room Systems

ADM_descriptor defines roles of administrative users

Should contain only administrative secondary logon identities

e.g. ADM_Help Desk

LOC_descriptor defines location‐based groups

Use no prefix for “normal user roles”Because these will be the most visible groups to non technical users




Role Groups Summary

Foundation of RBM

Highly trusted

Membership driven by authoritative sources

Separate and delegate in Active Directory

Global security groups

Contain users, computers, other roles

Strict naming conventionComponents separated by a delimiter

Normal human user role groups: simple

RULE GROUPS




Terminology

Management group

Capability management group

Task group

Rule group

Naming Conventions

Insanely absolutely critically importante.g. ACL_Resource_AccessLevel: ACL_Sales Folders_Read

Components and delimiterse.g. GroupTypePrefix_GroupName_Modifier

DelimiterUnderscore (“_”)

Do not use _ elsewhere

Facilitates automation, provisioning & presentation




Naming Conventions

PrefixDefines group’s function/purpose/type

ACL = “resource access”

Facilitates discoverability & use of groups

Sorting & grouping “lists” of groups

Rule Groups

Naming conventionACL_ResourceCollection_AccessLevelor RES_ or PERM_

e.g. ACL_Sales Folders_EditACL_Sales Folders_Read

SYS_scope_capabilitye.g. SYS_LON Clients_Admins

SYS_FileServer_Backup

APP_application

UPD_descriptore.g. UPD_Pilot (updated as part of update testing)

UPD_Manual (do not get updates automatically)




Rule Groups

Naming conventionGPO_ (GPO filtering)

Used to filter GPO application

CCM_ (multiple change management tools)“Broad” or “umbrella” CCM group

Achieves its ‘effect’ using one or more CCM paths. e.g. “conference room computers” may have apps deployed, lockdowns applied thru GPOs, etc.

Rule Groups

Implement as domain local security groupsBest practice for long‐term flexibility of RBM

Use to scope management within same domainUse universal groups to scope management in multiple domains within the same forest

Use global groups in very rare situations where you need to implement scope of management in a trusting domain

e.g. add group directly to an ACL in a trusting domain

Switch to global/universal groups as token size solution

Use global security groups when the rule is implemented using Group Policy security group filtering (GPO_ groups)

MembershipTypically: user role groups and computer roles

Exceptions: individual users and/or computers




37

Windows Group Scopes

Identity AccessGlobal Domain LocalIdentity Role Group Rule Group

Access ManagementResource

Rule Groups OU

OU structure example

DelegationDelegate to business owners of the ‘rule’

Delegate Allow:Write:Members

Where group managers manage few groupsDelegate group directly to resource owner(break the rule of scoping delegation by OU)

Can use the ManagedBy property and select“allow manager to change group membership”

Provision group management!




Rule Groups Summary

Domain local security groupsExcept Group Policy rule groups

Dedicated OU(s)

Delegate membership to those responsible for defining the rules/business logic

Contain roles, individual users or computers

Strict naming conventionPrefix indicating group purpose (e.g. ACL_)

BUSINESS LOGIC: RULES




Represent Business Requirements

Role groups are “nested” into capability groupsOr, said in reverse

Rules are assigned to roles

“Owner” maintains Members property of group

This “layer” should be 100% aligned with business requirements

Automate, provision, and proxy

ROLE‐BASED MANAGEMENT OUTCOMES




Visibility And Auditing

“Who has the capability to do x?”ADUC: traverse group Members

dsget group <GroupDN> ‐members ‐expandShows members of group (GroupDN), optionally includingnested members (‐expand)

Get‐ADGroupMember <GroupDN> ‐recursive | Select sAMAccountName

MEMBERS REPORT tool

MMC extension

Web application

44




Visibility And Auditing

“What can x do?”ADUC: traverse Member Of tab

dsget user|computer <ObjectDN> ‐memberof ‐expandShows membership of user or computer (ObjectDN), optionally including nested group memberships (‐expand)

Web application

MMC extension

MEMBER OF REPORT tool

46




Auditing And Maintaining RBAC

Scan the ACLsLook for any security principal (user/group/computer)

that does not begin with ACL_

and is not System | Administrators | Creator Owner

and you’ve ensured that RBM is being implemented

Folder ACL Report.vbs

Create “event sinks” to report ACL changes

Audit use of Change Permissions permission

Proxy all tasks related to folder security

48

Folder ACL Report.vbs




49

Auditing

CONSIDERING RBM




Won’t There Be A Lot Of Groups?

Yes!If implemented fully, RBAC alone will have several resource groups for each resource collection: one for each access level

What’s the alternative?

What’s the problem?

What’s The Alternative?

Multiple ACEs on multiple ACLs on multiple folders on multiple servers

Managing ACEs on ACLs is complex

Scanning, analyzing , reporting ACEs How often do you do this? How stale are your ACLs?




53

Interpreting An ACL

54

Interpreting An ACL




What’s The Alternative?

RBMSignificant reduction in "points of management"

Significant reduction in complexity of managementGroup membership management is easy

We’ve grown numb to pain of managing ACLsOr we’ve stopped doing parts of it (cleaning, reporting, analyzing) altogether

Tip: ACLs should be the focus of your security effort, not the latest “fad” hack

What’s The Problem?

1) Tools for managing groups in AD are lousyNot administrator friendly

Not available to non‐technical users (e.g. resource owners)

Solve it!How easy was our tool to provision the groups?

Provide easy tools to manage the groups!

2) Token size




Token SizeTwo Problems

Bytes‐per‐group in tokenHas gotten better over OS updates, service packs

1200 (overhead) +40 x [# domain local group memberships] +8 x [# global & universal group memberships]

Calculate token size with tokensz.exe

Default size of token itselfWindows 2000 RTM/SP1: 8KB, 100‐200 groups

Windows 2000 SP2/XP/2003: 12KB, 200‐300 groups

Problems And Solutions

ErrorsWindows, windows apps, web apps… you name it

All over the map!! Access, logon, out of memory…

Registry mod to solve problemHKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

MaxTokenSize

REG_DWORD: Decimal:65536 (Hex:0xFFFF)

1600 domain local or 8000 global/universal groups

Deploy forest‐wide to all systems

Kerberos limit 1024 groups




Token Size Solutions

Deploy MaxTokenSize

Monitor auth problems for intranet web apps

Clean up sIDHistory attribute

Bottom lineProblem is less likely than it was before

With large, complex RBM environments, you will need to change MaxTokenSize

Critical reading: KB 263693 & 327825Also read the “Related Articles” in those KBs

Global Groups Solution

Global groups take 1/5 the space in your token

Assumes you have a single domainor “empty forest root / child domain”

or completely decentralized domains within a forest

Implement all (or most) groups as global groups

When you trust another domainSome groups will have to convert to domain local (very easy to do)

Trusted domains are so 1990s. Federation is so today.

Don’t tell me I ever told you to do this




“Double Rule” Solution

ACL_Sales Folders_Read has Read permissionRule for “normal” read access

ACL_All Folders_Read has Read permissionAuditors get read permission from this ruleinstead of being nested into every _Read rule group

This is important for high‐level admins and usersPrevents over‐nesting

TRANSITIONING TO ROLE‐BASED MANAGEMENT




Selling RBM In Your Organization

Get there, yourself, firstYou must be the expert

Fully understand RBM Concepts & terms

Data, business & presentation “layers”

Understand the reliance on groupsBenefit: groups can be used to scope many management technologies

Get past “scars” from group management days of yore

Active Directory ain’t your grandfather’s SAM


Highlight the pain pointsWhat can <name a user> do?

If <name a user> loses his or her computer, what applications need to be installed on a new computer?

Who can make changes to <name a sensitive resource>?

A new user is hired who needs the same access as <name a user>. What access is that, exactly?

Chances are, your environment cannot answer all these questions





Demonstrate the solutionsMy Memberships

Access Report

Then start discussing how it is achievedDiscuss IT as roles and rule‐based management

Focus on aligning IT so that there are “collections” and workflows that align with and support the requirements of the business

Don’t talk “group scope” (domain local/global) or “OU vs. group” (difficult to avoid, but avoid it)

Getting There

AnalyzeIdentify capabilities you are trying to manageresource collections, apps, updates, etc.

Identify the roles associated with those capabilities

Identify the exceptions you need to manage

Identify data sources (e.g. HR)

DesignEstablish consistent naming conventions

Establish consistent process (workflow)




Getting There

Encourage or mandate disciplineUtilize description field for groups

OptionallyProvision

Automate

Enforce

Separate credentials for provisioned management

Create a transition planYou do not have to get there overnight

Role‐Based Management

MaxTokenSize long story short>200‐300 groups and you’re in trouble

You can work around it: deploy a larger MaxTokenSizethroughout forest

1024 is the hard limit (Kerberos)

Double‐rule your resources

Migration to RBMDesign your managed framework

Draw a line in the sand: From now on, managed

Back‐fill the management over time




GROUP MANAGEMENT

Best Practices for Group Documentation

Why document groups?Easier to find them when you need them

Easier to understand how and when to use a group

Establish and adhere to a strict naming convention

Prefix, for example, helps distinguishAPP_Budget from ACL_Budget_Edit

Prefix helps you find the group in the Select dialog box

Summarize a group's purpose with its description

Appears in Active Directory Users and Computers details pane

Detail a group's purpose in its Notes field

Contact information on Managed By tab




Copy Group Membership

Copy members from one group to another

Copy memberships of one user to another

dsget group "CN=Sales,OU=Role,OU=Groups,DC=contoso,DC=com" –members | dsmod group "CN=Marketing,OU=Role,OU=Groups,DC=contoso,DC=com" –addmbr

dsget user "SourceUserDN" –memberof | dsmod group –addmbr "TargetUserDN"

Protect Groups from Accidental Deletion

1. In the Active Directory Users and Computers snap‐in, click the Viewmenu and make sure that Advanced Features is selected.

2. Open the Properties dialog box for a group.3. On the Object tab, select the Protect Object From

Accidental Deletion check box.

4. Click OK.




Delegate Membership Management with Managed By

The Managed By tab serves two purposes:

Provide contact information for who manages the group

Allow specified user (or group) to modify group membership if Manager Can Update Membership List is selected

TipsMust click OK (not just Apply)to change the ACL on the group

To set a group in the Name box,click Change, then clickObject Types, and then click Groups

Shadow groups

Membership based on an LDAP queryGroup_Shadow.vbs




Shadow groups

Define group membership based on a query of Active Directory attributes

Group_Shadow.vbs

ChallengesOptimize accuracy vs. impact on replication

Requires logoff/logon (user) or restart (computer)

ResourcesWindows Administration Resource Kit: Productivity Solutions for IT Professionals

Solutions Collection 3: Managing User Data and Settings

Windows IT Pro magazineFebruary & March 2008 issues

[email protected]

@danholme

Questions & Answers

Please fill in your feedback forms!




Stay up to date with TechNet Belux

Register for our newsletters and stay up to date:http://www.technet‐newsletters.be

• Technical updates

• Event announcements and registration

• Top downloads

Join us on Facebook

http://www.facebook.com/technetbehttp://www.facebook.com/technetbelux

LinkedIn: http://linkd.in/technetbelux/

Twitter: @technetbelux

DownloadMSDN/TechNet Desktop Gadgethttp://bit.ly/msdntngadget

TechDays 2011 On‐Demand

• Watch this session on‐demand via TechNet Edge http://technet.microsoft.com/fr‐be/edge/

http://technet.microsoft.com/nl‐be/edge/

• Download to your favorite MP3 or video player

• Get access to slides and recommended resources by the speakers




THANK YOUDan Holme, MVP, SharePointChief SharePoint Evangelist, AvePointAuthor, SharePoint 2010 Training Kit (Microsoft Press)Trainer & Consultant, Microsoft Technologies Consultant, NBC OlympicsCommunity Lead, www.sharepointpromag.com

Founding Partner, Aptillon (www.aptillon.com)

@[email protected]: http://bit.ly/gPH8hn (Case Sensitive)

for active directorydownload.microsoft.com/download/e/7/a/e7ae2f7c-0112-405d... · 2018-10-16 ·...

Documents