module 6: designing active directory security in windows server 2008
TRANSCRIPT
Module 6:Designing Active
Directory Security in Windows Server 2008
Module Overview
• Designing AD DS Security Policies
• Designing AD DS Domain Controller Security
• Designing Administrator Security and Delegation
Lesson 1: Designing AD DS Security Policies
• Fine-Grained Password Policies in Windows Server 2008
• What Are Fine-Grained Password Policies?
• Password Setting Object Attributes
• How PSOs Are Processed and Applied
• Guidelines for Designing Fine-Grained Password Policies
Fine-Grained Password Policies in Windows Server 2008
Windows Server 2000
Windows Server 2003
Windows Server 2000
Windows Server 2003 Windows Server 2008Windows Server 2008
What Are Fine-Grained Password Policies?
Fine-grained password policies:
• Apply only to user objects (or inetOrgPerson objects) and global security groups
• Cannot be applied to an organizational unit (OU) directly
Fine-grained password policies allow you to specify multiple password policies within a single domainFine-grained password policies allow you to specify multiple password policies within a single domain
• Do not interfere with custom password filters that you might use in the same domain
Password Setting Object Attributes
PSOs have the following attributes:
• PSO link
• Precedence
• msDS-PSOAppliesTo
• msDS-PSOApplied
How PSOs Are Processed and Applied
Direct
Indirect
PSO
PSO
PSO11
PSOLowest
Precedence Value
3322
PSOLowest
Precedence Value
33
PSO
PSO2211
Guidelines for Designing Fine-Grained Password Policies
When designing Fine-Grained Password policies consider the following:
• Limit the number of PSOs you create for manageability
• Apply PSOs to groups rather than user accounts
• Assign a unique msDS-PasswordSettingsPrecedence value for each PSO
• Understand necessary permissions for managing PSOs:• Permissions for linking a PSO is given to the owner of the
PSO – not the owner of the linked group or user
• Settings on the PSO may be considered confidential
Lesson: Designing AD DS Domain Controller Security
• Key Components that Affect Domain Controller Security
• Server Core as a Solution for Domain Controller Deployment
• What is the Security Configuration Wizard?
• Prerequisites for Deploying RODCs
• Administrator Role Separation on RODCs
Key Components that Affect Domain Controller Security
When designing domain controller security, consider the following potential security risks:
• Additional applications and services installed Keep the domain controller clean of other applications
• Managing software update Use Windows Server Update Service 3.0
• Physical security Always store domain controllers in a secure location
• Local logons Only administrators should log on locally
• Domain controller security policy Use the default Domain Controllers OU
Server Core as a Solution for Domain Controller Deployment
Server Core supports the following server roles:
Server Core reduces:
• Management requirements
• AD DS
• AD LDS
• DHCP Server
• DNS Server
• File Server
• Media Services
• Print Server
• Attack surface
• Disc space usage
• Servicing requirements
What is the Security Configuration Wizard?
SCW in Windows Server 2008 allows you to:
The SCW provides you a detailed and comprehensive way to modify and enhance the security of domain controllersThe SCW provides you a detailed and comprehensive way to modify and enhance the security of domain controllers
• Disable unneeded services based on the server role
• Remove unused firewall rules and constrain existing firewall rules
• Define restricted audit policies
Prerequisites for Deploying RODCs
The prerequisites for deploying an RODC are as follows:
• The RODC must forward authentication requests to a writable domain controller running Windows Server 2008 in the same domain
• The domain functional level must be Windows Server 2003 or higher
• The forest functional level must be Windows Server 2003 or higher
• You must run adprep /rodcprep once in the forest
• One writable domain controller in the domain must be running Windows Server 2008
Administrator Role Separation on RODCs
Domain AdministratorDomain Administrator Local Administrator on an RODC
Local Administrator on an RODC
• Add and remove users and computers
• Update drivers
• Create OUs
• Change group membership
• Manage files and printers, install updates
• Install updates
Lesson 3: Designing Administrator Security and Delegation
• What Are Administrative Autonomy and Isolation?
• Guidelines for Creating a Delegation Model
• Guidelines for Using and Securing Administrator Accounts
• Auditing Administrative Access
What Are Administrative Autonomy and Isolation?
Autonomy - administrators have authority to manage resources independently; however, administrators with greater authority can take control away, if necessary
Autonomy - administrators have authority to manage resources independently; however, administrators with greater authority can take control away, if necessary
Isolation - administrators have authority to manage a resource independently; no other administrator can take control of the resource
Isolation - administrators have authority to manage a resource independently; no other administrator can take control of the resource
Guidelines for Creating a Delegation Model
When creating a delegation model:
Represent every instance of every administrative role with a unique security group
Use security groups that represent roles for the sole purpose of delegating the roles
When delegating data management, as far as possible, delegate permissions only on OUs
Unless absolutely required, do not specify permissions on individual objects within an OU
When delegating a role, grant permissions that allow only the administrative tasks assigned to the role
Guidelines for Using and Securing Administrator Accounts
The following are recommendations for securing administrator accounts:
Administrative tasks should be handled by administrative accounts
Administrators should always use User Account Control
Keep the number of users that are members of built-in administrative groups minimal
Legacy built in groups should be emptied from users
Separate Domain and Enterprise Administrator roles
Rename the Default Administrator Account
Create a decoy administrator account
Auditing Administrative Access
The Windows Server 2008 audit policy is divided into four subcategories:
• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication
In Windows Server 2008, you can set up AD DS auditing with a audit subcategory to log old and new values when changes are made to objects and their attributes