Module 6: Designing Active Directory Security in Windows Server 2008

Module Overview Designing AD DS Security Policies Designing AD DS Domain Controller Security Designing Administrator Security and Delegation

Lesson 1: Designing AD DS Security Policies Fine-Grained Password Policies in Windows Server 2008 What Are Fine-Grained Password Policies? Password Setting Object Attributes How PSOs Are Processed and Applied Guidelines for Designing Fine-Grained Password Policies

Fine-Grained Password Policies in Windows Server 2008 Windows Server 2000 Windows Server 2003 Windows Server 2000 Windows Server 2003 Windows Server 2008

What Are Fine-Grained Password Policies? Fine-grained password policies: Apply only to user objects (or inetOrgPerson objects) and global security groups Cannot be applied to an organizational unit (OU) directly Fine-grained password policies allow you to specify multiple password policies within a single domain Do not interfere with custom password filters that you might use in the same domain

Password Setting Object Attributes PSOs have the following attributes: PSO link Precedence msDS-PSOAppliesTo msDS-PSOApplied

How PSOs Are Processed and Applied Direct Indirect PSO 1 1 Lowest Precedence Value PSO Lowest Precedence Value 3 3 PSO

Guidelines for Designing Fine-Grained Password Policies When designing Fine-Grained Password policies consider the following: Limit the number of PSOs you create for manageability Apply PSOs to groups rather than user accounts Assign a unique msDS-PasswordSettingsPrecedence value for each PSO Understand necessary permissions for managing PSOs: Permissions for linking a PSO is given to the owner of the PSO – not the owner of the linked group or user Settings on the PSO may be considered confidential

Lesson: Designing AD DS Domain Controller Security Key Components that Affect Domain Controller Security Server Core as a Solution for Domain Controller Deployment What is the Security Configuration Wizard? Prerequisites for Deploying RODCs Administrator Role Separation on RODCs

Key Components that Affect Domain Controller Security When designing domain controller security, consider the following potential security risks: Additional applications and services installed  Keep the domain controller clean of other applications Managing software update  Use Windows Server Update Service 3.0 Physical security  Always store domain controllers in a secure location Local logons  Only administrators should log on locally Domain controller security policy  Use the default Domain Controllers OU

Server Core as a Solution for Domain Controller Deployment Server Core supports the following server roles: Server Core reduces: Management requirements AD DS AD LDS DHCP Server DNS Server File Server Media Services Print Server Attack surface Disc space usage Servicing requirements

What is the Security Configuration Wizard? SCW in Windows Server 2008 allows you to: The SCW provides you a detailed and comprehensive way to modify and enhance the security of domain controllers Disable unneeded services based on the server role Remove unused firewall rules and constrain existing firewall rules Define restricted audit policies

Prerequisites for Deploying RODCs The prerequisites for deploying an RODC are as follows: The RODC must forward authentication requests to a writable domain controller running Windows Server 2008 in the same domain The domain functional level must be Windows Server 2003 or higher The forest functional level must be Windows Server 2003 or higher You must run adprep /rodcprep once in the forest One writable domain controller in the domain must be running Windows Server 2008

Administrator Role Separation on RODCs Domain Administrator Local Administrator on an RODC Add and remove users and computers Update drivers Create OUs Change group membership Manage files and printers, install updates Install updates

Lesson 3: Designing Administrator Security and Delegation What Are Administrative Autonomy and Isolation? Guidelines for Creating a Delegation Model Guidelines for Using and Securing Administrator Accounts Auditing Administrative Access

What Are Administrative Autonomy and Isolation? Autonomy - administrators have authority to manage resources independently; however, administrators with greater authority can take control away, if necessary Isolation - administrators have authority to manage a resource independently; no other administrator can take control of the resource

Guidelines for Creating a Delegation Model When creating a delegation model: Represent every instance of every administrative role with a unique security group Use security groups that represent roles for the sole purpose of delegating the roles When delegating data management, as far as possible, delegate permissions only on OUs Unless absolutely required, do not specify permissions on individual objects within an OU When delegating a role, grant permissions that allow only the administrative tasks assigned to the role

Guidelines for Using and Securing Administrator Accounts The following are recommendations for securing administrator accounts: Administrative tasks should be handled by administrative accounts Administrators should always use User Account Control Keep the number of users that are members of built-in administrative groups minimal Legacy built in groups should be emptied from users Separate Domain and Enterprise Administrator roles Rename the Default Administrator Account Create a decoy administrator account

Auditing Administrative Access The Windows Server 2008 audit policy is divided into four subcategories: Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication In Windows Server 2008, you can set up AD DS auditing with a audit subcategory to log old and new values when changes are made to objects and their attributes