Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Planning and Administrative Delegation

Published by정산 옹 Modified over 5 years ago

Similar presentations

Presentation on theme: "Security Planning and Administrative Delegation"— Presentation transcript:

1 Security Planning and Administrative Delegation
Lesson 6

2 Skills Matrix Technology Skill Objective Domain Objective #
Creating an OU Structure Maintain Active Directory accounts 4.2

3 Naming Standard User logon names will typically follow a corporate naming standard set forth during the planning stages of an Active Directory deployment. You will usually create a naming standards document to outline the rules for naming all Active Directory objects. This document will specify conventions such as the number and type of characters to use when creating a new object in Active Directory.

4 Strong Passwords Since user names are often easily guessed, it is essential to have strong passwords: At least eight characters in length. Contains uppercase and lowercase letters, numbers, and non-alphabetic characters. At least one character from each of the previous character types. Differs significantly from other previously used passwords.

5 Strong Passwords A strong password should not be left blank or contain any of the following information: Your user name, real name, or company name. A complete dictionary word. Windows passwords for Windows Server 2008, Windows Vista, Windows Server 2003 and Microsoft Windows XP clients can be up to 127 characters in length.

6 If you use group policies to enforce strong passwords:
Must be at least seven characters. Must contain three of the four types (uppercase and lowercase letters, numbers, and non-alphabetic characters). Cannot contain your user name or real name. The traditional definition of a strong password is slightly different than one that is used by Microsoft. You only need three of the four types of characters instead of all four.

7 Authentication is the process of proving who you are.
There are multiple methods of authentication: What you know (password or PIN). Who you are (retinal scan or thumb print). What you have (smart card). Some of these methods can be used so that users no longer need to remember passwords.

8 Smart Card Smart cards are cards about the size of a credit card. Login information can be stored on the smart card, making it difficult for anyone except the intended user to use or access it. Security operations, such as cryptographic functions, are performed on the smart card itself rather than on the network server or local computer. This provides a higher level of security for sensitive transactions.

9 Implementing Smart Cards for Authentication
Smart cards can be used from remote locations, such as a home office, to provide authentication services. The risk of remote attacks using a username and password is significantly reduced by smart cards.

10 Implementing Smart Cards for Authentication
Requires Active Directory Certificate Services. Smart cards for authentication must be enabled in the user account properties. Try to emphasize to the students that if you are using smart cards, you need to use Extensible Authentication Protocol (EAP) (Potential exam question).

11 Using Run As from the GUI
From the Start button, navigate to the application you wish to run. Press and hold the Shift key and right-click the desired application. Select the Run as administrator option. Again, emphasize that for administrators, you should have two accounts.

12 Administrative Accounts
You should not use an account possessing administrative privileges for daily tasks, such as browsing the Web or monitoring . Administrative accounts should be reserved for tasks that require administrator privileges. Using the Administrator account or an account that is a member of Domain Admins, Enterprise Admins, or Schema Admins for daily tasks offers an opportunity for hackers to attack your network and potentially cause severe and irreversible damage. Limiting the use of the Administrator account for daily tasks, such as , application use, and access to the Internet, reduces the potential for this type of damage.

13 Run as Administrator and Runas Command
The recommended solution for reducing the risks associated with the Administrator account is to use a standard user account and the Run as administrator option in the GUI or the runas command-line tool when it is necessary to perform an administrative task. The Run as administrator or runas option allows you to maintain your primary logon as a standard user and creates a secondary session for access to an administrative tool. During the use of a program or tool opened using Run as administrator or runas, your administrative credentials are valid only until you close that program or tool.

14 Run as Administrator and Runas Command
Run as administrator and runas require the Secondary Logon service to be running. The runas command-line tool is not limited to administrator accounts. You can use runas to log on with separate credentials from any account. This can be a valuable tool in testing resource access permissions.

15 Using Run As from the GUI
If you are using User Account Control, you may be prompted for administrative credentials when performing system tasks You can access the Run as Administrator option if you by find the program you want to start from the Start button, and press and hold the Shift key, right-click the desired application, and select the Run as administrator option. You can also use the runas command, such as: runas /user:lucernepublishing.com\domainadmin “mmc %windir%\system32\dnsmgmt.msc”

16 Organizational Units Can be created to represent your company’s functional or geographical model. Can be used to delegate administrative control over a container’s resources to lower-level or branch office administrators. Can be used to apply consistent configuration to client computers, users and member servers.

17 Creating an Organizational Unit
To create an organizational unit, you would use the Active Directory Users and Computers console.

18 Delegation of Control Creating OUs to support a decentralized administration model gives you the ability to allow others to manage portions of your Active Directory structure, without affecting the rest of the structure. Delegating authority at a site level affects all domains and users within the site. Delegating authority at a domain level affects the entire domain. Delegating authority at the OU level affects only that OU and its hierarchy.

19 Delegation of Control Using the Delegation of Control Wizard, you utilize a simple interface to delegate permissions for domains, OUs, or containers. The interface allows you to specify to which users or groups you want to delegate management permissions and the specific tasks you wish them to be able to perform. You can delegate predefined tasks, or you can create custom tasks that allow you to be more specific.

20 Delegating Administrative Control of an OU
Open Active Directory Users and Computers. Right-click the object to which you wish to delegate control, and click Delegate Control. Click Next on the Welcome to the Delegation of Control Wizard page.

21 Delegating Administrative Control of an OU
Demonstrate Delegating Administrative Control of an OU.

22 Delegating Administrative Control of an OU

23 Delegating Administrative Control of an OU

24 Verifying and Removing AD Permissions
Must Enable Advanced Features in Active Directory Users and Computers. Found in the View menu. Then right-click an OU or an account and select Properties. Select the Security tab. Demonstrate difference between Advanced View and non-Advanced View. Show that the security tab shows up and additional containers show up when in Advanced mode.

25 Verifying and Removing AD Permissions
Review how permissions work. Permissions are cumulative when added together from users and groups. Also Deny always wins out.

26 Moving Objects within Active Directory
Windows Server 2008 allows you to restructure your Active Directory database by moving leaf objects such as users, computers, and printers between OUs, in addition to moving OUs into other OUs to create a nested structure. When you move objects between OUs in a domain, permissions that are assigned directly to objects remain the same. Objects inherit permissions from the new OU. All permissions that were inherited previously from the old OU no longer affect the objects.

27 Moving Objects within Active Directory
Windows Server 2008 provides two methods for moving objects between OUs in the same domain: Drag-and-drop within Active Directory Users and Computers. If you wish to move multiple objects, press and hold the Ctrl key while selecting the objects you wish to move. Use the Move menu option within Active Directory Users and Computers. You can also use the dsmove command. Demonstrate this.

28 Summary Creating a naming standards document will assist in planning a consistent Active Directory environment that is easier to manage. Securing user accounts includes educating users to the risks of attacks, implementing a strong password policy, and possibly introducing a smart card infrastructure into your environment.

29 Summary As part of creating a secure environment, you should create standard user accounts for administrators and direct them to use Run as administrator or runas when performing administrative tasks. When planning your OU structure, consider the business function, organizational structure, and administrative goals for your network. Delegation of administrative tasks should be a consideration in your plan.

30 Summary Administrative tasks can be delegated for a domain, OU, or container to achieve a decentralized management structure. Permissions can be delegated using the Delegation of Control Wizard. Verification or removal of these permissions must be achieved through the Security tab in the Properties dialog box of the affected container.

31 Summary Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the drag-and-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.

Download ppt "Security Planning and Administrative Delegation"

Similar presentations

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.

XP Tutorial 9 New Perspectives on Microsoft Windows XP 1 Microsoft Windows XP Exploring Your Network Tutorial 9.
MOAC : Installing and Configuring Windows Server 2012

MOAC : Installing and Configuring Windows Server 2012
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
7.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

7.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.

By Rashid Khan Lesson 4-Preparing to Serve: Understanding Microsoft Networking.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Chapter 7 Managing OUs and Active Directory Accounts

Chapter 7 Managing OUs and Active Directory Accounts
Guide to MCSE 70-290, Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.

Guide to MCSE , Enhanced 1 Activity 10-1: Restarting Windows Server 2003 Objective: to restart Windows Server 2003 Start  Shut Down  Restart Configure.

Similar presentations

Ads by Google