Security Planning and Administrative Delegation Lesson 6

Skills Matrix Technology Skill Objective Domain Objective # Creating an OU Structure Maintain Active Directory accounts 4.2

Naming Standard User logon names will typically follow a corporate naming standard set forth during the planning stages of an Active Directory deployment. You will usually create a naming standards document to outline the rules for naming all Active Directory objects. This document will specify conventions such as the number and type of characters to use when creating a new object in Active Directory.

Strong Passwords Since user names are often easily guessed, it is essential to have strong passwords: At least eight characters in length. Contains uppercase and lowercase letters, numbers, and non-alphabetic characters. At least one character from each of the previous character types. Differs significantly from other previously used passwords.

Strong Passwords A strong password should not be left blank or contain any of the following information: Your user name, real name, or company name. A complete dictionary word. Windows passwords for Windows Server 2008, Windows Vista, Windows Server 2003 and Microsoft Windows XP clients can be up to 127 characters in length.

If you use group policies to enforce strong passwords: Must be at least seven characters. Must contain three of the four types (uppercase and lowercase letters, numbers, and non-alphabetic characters). Cannot contain your user name or real name. The traditional definition of a strong password is slightly different than one that is used by Microsoft. You only need three of the four types of characters instead of all four.

Authentication is the process of proving who you are. There are multiple methods of authentication: What you know (password or PIN). Who you are (retinal scan or thumb print). What you have (smart card). Some of these methods can be used so that users no longer need to remember passwords.

Smart Card Smart cards are cards about the size of a credit card. Login information can be stored on the smart card, making it difficult for anyone except the intended user to use or access it. Security operations, such as cryptographic functions, are performed on the smart card itself rather than on the network server or local computer. This provides a higher level of security for sensitive transactions.

Implementing Smart Cards for Authentication Smart cards can be used from remote locations, such as a home office, to provide authentication services. The risk of remote attacks using a username and password is significantly reduced by smart cards.

Implementing Smart Cards for Authentication Requires Active Directory Certificate Services. Smart cards for authentication must be enabled in the user account properties. Try to emphasize to the students that if you are using smart cards, you need to use Extensible Authentication Protocol (EAP) (Potential exam question).

Using Run As from the GUI From the Start button, navigate to the application you wish to run. Press and hold the Shift key and right-click the desired application. Select the Run as administrator option. Again, emphasize that for administrators, you should have two accounts.

Administrative Accounts You should not use an account possessing administrative privileges for daily tasks, such as browsing the Web or monitoring email. Administrative accounts should be reserved for tasks that require administrator privileges. Using the Administrator account or an account that is a member of Domain Admins, Enterprise Admins, or Schema Admins for daily tasks offers an opportunity for hackers to attack your network and potentially cause severe and irreversible damage. Limiting the use of the Administrator account for daily tasks, such as email, application use, and access to the Internet, reduces the potential for this type of damage.

Run as Administrator and Runas Command The recommended solution for reducing the risks associated with the Administrator account is to use a standard user account and the Run as administrator option in the GUI or the runas command-line tool when it is necessary to perform an administrative task. The Run as administrator or runas option allows you to maintain your primary logon as a standard user and creates a secondary session for access to an administrative tool. During the use of a program or tool opened using Run as administrator or runas, your administrative credentials are valid only until you close that program or tool.

Run as Administrator and Runas Command Run as administrator and runas require the Secondary Logon service to be running. The runas command-line tool is not limited to administrator accounts. You can use runas to log on with separate credentials from any account. This can be a valuable tool in testing resource access permissions.

Using Run As from the GUI If you are using User Account Control, you may be prompted for administrative credentials when performing system tasks You can access the Run as Administrator option if you by find the program you want to start from the Start button, and press and hold the Shift key, right-click the desired application, and select the Run as administrator option. You can also use the runas command, such as: runas /user:lucernepublishing.com\domainadmin “mmc %windir%\system32\dnsmgmt.msc”

Organizational Units Can be created to represent your company’s functional or geographical model. Can be used to delegate administrative control over a container’s resources to lower-level or branch office administrators. Can be used to apply consistent configuration to client computers, users and member servers.

Creating an Organizational Unit To create an organizational unit, you would use the Active Directory Users and Computers console.

Delegation of Control Creating OUs to support a decentralized administration model gives you the ability to allow others to manage portions of your Active Directory structure, without affecting the rest of the structure. Delegating authority at a site level affects all domains and users within the site. Delegating authority at a domain level affects the entire domain. Delegating authority at the OU level affects only that OU and its hierarchy.

Delegation of Control Using the Delegation of Control Wizard, you utilize a simple interface to delegate permissions for domains, OUs, or containers. The interface allows you to specify to which users or groups you want to delegate management permissions and the specific tasks you wish them to be able to perform. You can delegate predefined tasks, or you can create custom tasks that allow you to be more specific.

Delegating Administrative Control of an OU Open Active Directory Users and Computers. Right-click the object to which you wish to delegate control, and click Delegate Control. Click Next on the Welcome to the Delegation of Control Wizard page.

Delegating Administrative Control of an OU Demonstrate Delegating Administrative Control of an OU.

Delegating Administrative Control of an OU

Delegating Administrative Control of an OU

Verifying and Removing AD Permissions Must Enable Advanced Features in Active Directory Users and Computers. Found in the View menu. Then right-click an OU or an account and select Properties. Select the Security tab. Demonstrate difference between Advanced View and non-Advanced View. Show that the security tab shows up and additional containers show up when in Advanced mode.

Verifying and Removing AD Permissions Review how permissions work. Permissions are cumulative when added together from users and groups. Also Deny always wins out.

Moving Objects within Active Directory Windows Server 2008 allows you to restructure your Active Directory database by moving leaf objects such as users, computers, and printers between OUs, in addition to moving OUs into other OUs to create a nested structure. When you move objects between OUs in a domain, permissions that are assigned directly to objects remain the same. Objects inherit permissions from the new OU. All permissions that were inherited previously from the old OU no longer affect the objects.

Moving Objects within Active Directory Windows Server 2008 provides two methods for moving objects between OUs in the same domain: Drag-and-drop within Active Directory Users and Computers. If you wish to move multiple objects, press and hold the Ctrl key while selecting the objects you wish to move. Use the Move menu option within Active Directory Users and Computers. You can also use the dsmove command. Demonstrate this.

Summary Creating a naming standards document will assist in planning a consistent Active Directory environment that is easier to manage. Securing user accounts includes educating users to the risks of attacks, implementing a strong password policy, and possibly introducing a smart card infrastructure into your environment.

Summary As part of creating a secure environment, you should create standard user accounts for administrators and direct them to use Run as administrator or runas when performing administrative tasks. When planning your OU structure, consider the business function, organizational structure, and administrative goals for your network. Delegation of administrative tasks should be a consideration in your plan.

Summary Administrative tasks can be delegated for a domain, OU, or container to achieve a decentralized management structure. Permissions can be delegated using the Delegation of Control Wizard. Verification or removal of these permissions must be achieved through the Security tab in the Properties dialog box of the affected container.

Summary Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the drag-and-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.