CHAPTER
2
DESIGNING ACTIVE DIRECTORY
FOR SECURITY
Active Directory provides the foundation for your organization’s security. You must design an
Active Directory structure that will meet your administrative needs and support your
organization’s business directives.
Chapter Scenario:
Wide World Importers
Set the password policy in a GPO to min. 6 and have a separate GPO for the Engineering IT
department and have Kim Abercrombie manage it.
Review the applications required Office 2000 and MSI package which is custom proprietary
accounting software.
Enable the specialized templates for the workstations, servers and non-domain controllers.
Goals, maintain the simplest Active Directory design.
Lesson 1:
Designing your
One of the most important decisions that you need to make when designing Active Directory
for your organization is whether to implement a single forest or multiple forests.
Active Directory Design Basics
global catalog. There are connected using a transitive trust. A forest is disjointed name space.
Domain Tree. A domain tree is a collection of domains that share a contiguous name space.
Domain. A domain represents a unit of replication within Active Directory.
Organizational Unit (OU). An OU is a container that’s used to organize security principals
for the purpose of deploying Group Policy and delegating administrative authority. OUs
can exist within domains or other OUs.
====================================================================
winsec2.html PAGE 2 2002/04/12
NOTE: An OU that exists within another OU is commonly referred to as a
child OU. The OU that contains the child OU is referred to as a parent OU.
Sites. Sites are used within Active Directory to represent the physical network that exists for
an organization. A Site is defined as a section of the network with high network speeds.
Deploying a
The most common configuration for deploying in Active Directory in an organization is a
single forest. With a single forest you can share common information:
Schema. A schema defines all classes and attributes that can be used within the forest. By
default, the first domain controller on the forest is designated as the schema operations master.
Configuration. Maintains the listing of all domains and sites within a forest, thus ensuring that
no duplicate names are created.
Global catalog. The global catalog maintains a partial set of attributes for all objects that
exist within a forest.
The domains within a forest are joined together by Kerberos V5 transitive trust relationships.
It is always recommended to begin your Active Directory design with the intention of deploying
a single forest.
Making the Decision
Considering implementing a single forest for your enterprise if your organization meets the
following criteria:
The same software is used across the organization. If the software is Active Directory aware.
You want to minimize forest-wide configuration. A single forest reduces the number of
administrative tasks that globally affect a forest.
You want to manage forest-wide administrative groups with minimal complications. Several
enterprise administrative groups, including the Enterprise Admins and Schema Admins groups
are located in the forest root domain. If multiple forests are maintained, multiple sets of these
groups also must be maintained to ensure forest security.
====================================================================
winsec2.html PAGE 3 2002/04/12
You want to be able to carry out single, enterprise-wide searches. You can query the global
catalog server to perform a forest-wide search for an object only within a single forest.
You want to reduce management of trust relationships. All domains have a transitive trust
within a forest, therefore you can access any information on any domain within the forest.
Applying the Decision
Even though Wide World Importers has distribution and service centers spread across national
boundaries, this isn’t a sound business reason for creating separate forests.
Deploying Multiple Forests
To complicated having multiple forests such as:
A more complicated and expensive domain structure. Every forest must have at least one
domain. To ensure redundancy in the case of server failure, at least two DCs will be needed.
Additional management costs for forest-wide components such as the schema and configuration
naming contexts. The schema modifications must now be performed in two separate processes
(one for each forest).
Additional management costs for trusts relationships. If you deploy multiple forests, you have
to establish explicit one-way trust relationships between domains in the forests where resources
must be accessed.
Limited use of universal principal names. If multiple forests exist, only default principal names
can be used if users are going to authenticate by using user principal names. If the default user
principal name is used, the user has to log on using the user principal name of
Limiting smart cards to using default user principal names. Only in a single-forest environment
does the global catalog contain a partial replica of all objects in the organization. Deploying
multiple forests can result in loss of functionality for the users within an organization.
Making the Decision
Short-lived joint ventures. Two companies come together for a short period of time.
Mergers between two companies running separate Active Directories. You can merge them
using Active Directory Migration Tool (ADMT) from Microsoft.
====================================================================
winsec2.html PAGE 4 2002/04/12
Disagreement of change policies. A forest shares a common schema and configuration.
Differing schema requirements. A forest shares a single schema.
CAUTION: Any modifications to the schema are permanent. You can never remove any
classes or attributes that are added to the schema. They can only be marked as defunct.
Distrust among administrators. Within a forest the Enterprise Admins group is assigned
privileges that allow the group to manage all domains within a forest.
Scope of transitive trust relationship. Within a forest, users in a domain can access
resources in all other domains in the forest due to the transitive trust relationship that exist
between domains in a forest.
Limited replication of the global catalog. All objects in the forest will have a partial set of
attributes replicated to the global catalog.
If user accounts need to be prevented from appearing in the global catalog. In
highly secure environments it may be necessary to prevent users from knowing the
existence of specific user accounts in the organization.
Applying the Decision
Wide World Importers merged with another company through either a takeover or acquisition,
the other organization might already have a Windows 2000 Active Directory. Not the case,
Always, Always have only one forest.
Explicit trust relationships must be defined between domains where resource access might
take place.
Lesson 2:
Designing Your Domain Structure
Once you have decided to create either a single forest or multiple forests for an organization,
the next step is to determine how many domains the organization needs.
Deploying a Single Domain
A single-domain forest is commonly implemented in organizations that maintain centralized
control of user and computer accounts.
====================================================================
winsec2.html PAGE 5 2002/04/12
Making the Decision
When the goal is to keep it simple, a single domain is the best decision for an Active
Directory design. Choosing to implement a single domain will have the following effects
on your Active Directory:
It reduces management of the forest. When only a single domain exists in the forest, the
domain’s administrators are ultimately the forest’s administrators as well.
It reduces the number of required DCs. Every domain that you create requires separate
DCs. By deploying a single domain, you reduce the total number of DCs.
It reduces the dependency on global catalog servers for authentication. When authentication
in a native mode domain, the authenticating DC connects to a global catalog server to
determine universal group membership for the authenticating security principal.
It provides an easier migration path to multiple domains.
Applying the Decision
Wide World Importers can start initially with a single domain for its organization, but as we
will see, its business objectives require the implementation of multiple domains.
Deploying Multiple Domains
One of the key reasons to implement multiple domains is a requirement for differing
account policies. Account policies can only be applied at a domain level.
Understanding Account Policies
Account policies include the following three categories of configuration:
Password Policy. Defines the characteristics of passwords that may be used to
authenticate to the domain.
Account Lockout Policy. Defines which actions must be taken when a specific amount
of failed logon attempts occur in a short period of time.
Kerberos Policy. Defines maximum ticket lifetimes for Kerberos authentication and
tolerance for clock synchronization between client computers and servers.
TIP: When implementing account policy, be sure to set it at the domain level so that
the domain settings are configured. Account policy configured at the OU level only
affects the local account databases of any computers in that OU. It won’t affect any
users authenticating with the domain when using that computer.
====================================================================
winsec2.html PAGE 6 2002/04/12
Password Policy
Enforce Password History. Value between 0-24 passwords remembered.
Maximum Password Age. Defines how frequently a password must be changed. 0-999.
Minimum Password Age. Defines how long a newly changed password must exist before
the user can change it.
Minimum Password Length. Defines the minimum character length for a user’s password.
If the user enters a password that’s less than the minimum length, the password will be rejected.
Passwords Must Meet Complexity Requirements. You must meet three of the following
four requirements:
· UPPER CASE
· lower case
· 1234567890 (numeric)
· !@#$%^&*() symbols
In addition, passwords can’t contain the user’s account name.
Store Password using reversible encryption for all users in the Domain. Reversible encryption
is used by the Internet Information Server when configured to use digest authentication and
by dial-in users using Challenge Handshake Authentication Protocol (CHAP). Using IIS.
Account Lockout Policy
Account Lockout Duration. If defined to be 0, this indicates that the account is locked out
until an administrator manually resets it.
Account Lockout Threshould. Defines how many incorrect logon attempts are allowed
before an account is locked out.
Reset Account Lockout Counter After. The frequency of the lockout counter resetting.
====================================================================
winsec2.html PAGE 7 2002/04/12
Kerberos Policy
The Kerberos policy defines settings for the Kerberos v5 authentication protocol. These
settings apply to all computers and users in the domain where the policy is defined.
Domain controller Security Policy/Account Policies/Kerberos Policy.
The Kerberos policy settings available in account policy include:
Enforce User Logon Restrictions. Enabled by default. This prevents a locked out account
from acquiring any additional service tickets after an administrator locks out the account.
Maximum Lifetime For Service Ticket. Defines how long a service ticket can be stored in
the service ticket cache. Default = 600 minutes.
Maximum Lifetime for User Ticket. Default = 10 hours. Defines the maximum lifetime for
a Kerberos ticket issued to a user account.
Maximum Lifetime for User Ticket Renewal. Default = 7 days. Defines the maximum
amount of time during which a ticket may be renewed.
Maximum Tolerance for Computer Clock Synchronization. Default = 5 min. Defines how
much a client computer’s clock can be out of sync with a server’s computer clock.
Kerberos settings must be the same for an entire domain. If you require different Kerberos
settings, you have identified the need for multiple domains.
Making the Decision:
You must decide to implement multiple domains if any of the following scenarios exist in your
organizations:
Differing account policies. If departments can’t agree on account policy settings such as
minimum password length, account lockout duration or Kerberos ticket lifetime settings,
you need to create multiple domains.
NOTE: You can define account policy at the OU level in Group Policy. The policy
applied to you will depend on how you log onto the system.
Replication issues. For offices that have smaller branch offices connected by slow wide
area network (WAN) links, the traffic associated with replication can lead to saturation
of the WAN link.
International considerations. Some countries require management of the network to take
place within the country where the network is located.
Political reasons. Do departments work well together.
The need to put enterprise administration accounts into a separate domain. An empty root
domain. Within a forest, enterprise-level administration groups exist in the forest root domain.
====================================================================
winsec2.html PAGE 8 2002/04/12
WARNING: All members of the Domain Admins group in the forest root have the ability
to change membership in the Enterprise Admins and the Schema Admins groups.
Membership in all three groups should be carefully monitored to ensure that group
memberships aren’t changed without authorization.
Applying the Decision
Since you need to have multiple policies for the Engineering Department, then you should
put them into their own domain.
Based on account policies, the Wide World Importers network requires at least two domains:
one to contain all members of the Engineering department and the other to contain the
remaining users.
Wide World Importers could deploy either a two-domain forest or a three-domain forest,
depending on its security needs for restricting membership in the Enterprise Admins, Schema
Admins, and forest root Domain Admins groups.
*** See page 39 ***
Lesson Summary:
organization’s business requirements.
will require the deployment of multiple domains in your organization’s forest.
Lesson 3:
Designing an OU Structure
Within every domain in your forest you must create an OU structure.
====================================================================
winsec2.html PAGE 9 2002/04/12
Planning for Delegation of Administration
One of the more common Active Directory designs is based on the capability of delegating
administration to specific organizational units, to specific objects within an OU, or to specific
attributes of an object.
In Windows 2000, you can delegate administration to a
specific OU by using the
Delegation of Control Wizard.
Users or Groups. You can select which users or groups will be delegated administrative
control over the container you’re delegating control to.
Tasks to Delegate. Common tasks like resetting passwords etc. can be given to another
person to lesson your load.
Custom Tasks. If you select custom tasks for delegation, you can choose to delegate full
control of all objects in the folder or specifically reference the object classes that the user or
security group can manage.
Custom Permissions. If custom tasks are selected, you can then define the permissions that
will be delegated to the user or security group selected. Click the Advanced options on any
Active Directory container’s Security tab.
TIP: The Security tab is available only when Advanced Features are enabled in Active
Directory Users and Computers.
Making the Decision
When it actually comes time to create your delegation of administration design, you must
ensure that only the minimum rights are delegated to the selected security principals.
Run a test bed.
Which users should have administration privileges delegated to them. Be sure to select
only the users that require delegated user rights to delegation.
Where to delegate administration in the OU hierarchy. It’s often best to delegate control
higher in the OU hierarchy. This reduces the number of places in which delegation must
take place.
Which types of objects should be delegated for administration. Delegated administration
is often only required for a specific class of objects.
The minimum set of rights that are required. Although the Delegation of Control Wizard
allows delegation to administration based on an entire object, the best solution often is to
provide administration rights to only a subset of attributes for an object.
====================================================================
winsec2.html PAGE 10 2002/04/12
Applying the Decision
Set up a domain engineering.wideworldimporters.ltd. Because delegation of authority is
inherited by default, the head of the Engineering IT department will be able to manage all
user accounts in the Engineering department. You can make the nominated engineers at
the distribution centers members of the domain local group so that they are limited to
managing user accounts from their own distribution center.
Group Policy is always processed in a specific order:
located.
You can configure Group Policy settings for both users and computers. When you design
your OU structure, you may arrive at an OU structure that ultimately puts computers and
users in separate OUs.
By default, Group Policy is inherited. If a policy is defined at the domain level, all OUs
under that domain will have the Group Policy setting applied, unless the Group Policy
setting is defined in an OU closer to the user that overrides the previous setting.
TIP While group policy settings are inherited within a domain, they aren’t inherited between
domains. If a Group Policy is defined at the forest root domain, it isn’t inherited by child
domains created below the forest root. A domain can inherit only site Group Policy settings.
Blocking inheritance will prevent Group Policy settings defined in parent containers from
being applied at child containers. For example, if the Canada OU blocked policy inheritance,
the Do not Display Last User Name In Logon Screen policy wouldn’t be enabled for any
computers in the Canada OU.
Some administrators may not appreciate these settings blocked at lower level OUs. This
is especially true for policy settings applied at the domain level that are intended to affect
all computers in the domain.
====================================================================
winsec2.html PAGE 11 2002/04/12
The No Override option prevents lower-level OUs from blocking inheritance.
If both the No Override and Block Policy Inheritance settings
are selected, the No Override
option takes precedence, or the lower policy.
The final option that you can use to further configure which Group Policy is applied to
objects within a container is to apply filtering to Group Policy. Filtering allows you to limit
the application of a Group Policy to specific Windows 2000 security groups. You do this
in the Security tab of the Group Policy object.
To apply the Group Policy, you must assign the security group two specific permissions:
Read and Apply Group Policy. The Read permissions allows the members of the security
group to read the properties and settings of the Group Policy object, and the Apply Group
Policy permission indicates that those policies and settings will be applied to the security
group.
TIP There is a resource kit tool called Gpresult.exe.
Making the Decision
Your OU design should meet the following Group Policy requirements to assist in
troubleshooting Group Policy application problems:
Create an OU structure that doesn’t require blocking inheritance. When Group Policy
inheritance is blocked, the default application model for Group Policy doesn’t take place.
This makes it difficult to troubleshoot Group Policy applications and may require tools
such as Gpresult.exe from the Microsoft Windows 2000 Server Resource Kit for resolution.
Limit the use of Site Group Policies in a multiple-domain environment. Site Group Policies
are stored in the domain where the Site Group Policy was defined.
Limit the number of
levels where Group Policy is applied in order to increase logon
performance. Takes too much time to logon.
Apply only the necessary settings. When you design your Group Policy objects, you
should prevent user settings from being applied if the Group Policy object is only
supposed to apply computer settings.
====================================================================
winsec2.html PAGE 12 2002/04/12
Applying the Decision
Two requirements make it necessary for you to configure Group Policy: The deployment
of software for users and the deployment of consistent security configuration for all
computers.
To facilitate the deployment of the security templates, you need to create an OU structure
that groups the computers into OUs based on security templates.
See the diagrams on page 50
To facilitate the deployment of applications, you must define only a single OU.
The Accounting Users OU would contain all of the Accounting department user accounts.
For this OU you can define a Group Policy object that assigns the Accounting software to
all user accounts within the OU.
NOTE: Group Policies can be defined for domains, sites, and OUs, but not for container
objects.
Lesson Summary:
Designating an OU structure takes a long time.
The design must allot for both delegation of administration and deployment of Group Policy.
Be aware that the process is lengthy and that you must test it before deploying it.
Lesson 4:
Designing an Audit Strategy
The major part of securing a Windows 2000 network is determining who accessed specific
resources or who performed specific actions on the network.
Configuring Audit Settings
Within Windows 2000 you can configure several auditing settings.
The audit policies that can be defined for a domain include:
====================================================================
winsec2.html PAGE 13 2002/04/12
onto the domain the authenticating domain controller does the logon. Can be success and
failures.
account or group. It also occurs when a user account is renamed, disabled, or enabled, or a
password is set or changed.
or an administrator taking ownership of a file.
time the security log is reset on the computer.
Making the Decision
By defining audit settings within Active Directory by using Group Policy, you can ensure that
the desired settings are maintained forest-wide.
When you define your audit strategy, you must consider the following design points:
Determine where to apply the audit settings.
local computer.
at the actual OU where the computer object is located will be applied.
Define DC auditing settings in the Domain Controllers OU. By default, all DCs are located in
the Domain Controllers OU. Collect computers with similar audit requirements into common
OUs. By grouping computer accounts into common OUs, you can apply the required audit
policy settings at the OU level. Do not audit all events. Takes too much resources.
====================================================================
winsec2.html PAGE 14 2002/04/12
NOTE: Do not audit all events, wastes system resources. The security log is by default size
of 512K. When auditing is enabled, you can be sure that you will require more space than the
default size. The actual size must be set based on the amount of data that will be included in
the auditing configuration.
Determine the appropriate mix of failure and success audits to meet your security requirements.
Define your audit strategy to match the organization’s risk level. The lower the risk level that
the organization is comfortable with, the more events you include in the audit strategy.
Applying the Decision
The Wide World Importers is only concerned with internal auditing, you do not need to worry
as much about external attacks such as internet attacks.
The following is
being audited:
when user accounts were created, modified, or deleted and who performed the task.
success and failure auditing for object access. If the files are stored in NTFS and auditing is
enabled on the Advanced tab you can perform this.
policy will be recorded in the audit logs.
will also tell who tried to perform this task, and when and the time.
Lesson Summary:
auditing and the effect on performance and resource usage that the auditing requires.