auditing microsoft active directory eric dugger network services manager nevada legislature
Post on 27-Mar-2015
227 Views
Preview:
TRANSCRIPT
Auditing Microsoft Active Directory
Eric Dugger
Network Services Manager
Nevada Legislature
What is Active Directory
A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments.
Resources – Computers & Printers
Services – E-Mail, Policies, DNS, etc.
Users – Accounts and security groups
Primary Items of Importance
Business Continuity •Is Active Directory backed up?•Are there multiple Domain Controllers?
Security•Who has access to change Active Directory?•What settings in Active Directory affect security? (passwords, etc.)
Policies•What environment is created from AD Polices?
Business Continuity
Active Directory Backups – Critical Data•How often?•Where are they stored?see Backing up an Active Directory Server doc
Multiple Domain Controllers•Should have the global catalogshow where in Sites and Services
Questions
Active Directory Security
Who can access Active Directory?
What can they change?
Is auditing turned on for Active Directory?
Access to Active Directory
Active Directory Boundaries
Physical Security
Domain Forests & Trusts
Permissions to Change AD
Enterprise AdminsSchema AdminsAdministratorsDomain AdminsServer OperatorsAccount OperatorsBackup OperatorsDS Restore Mode Administrator
Groups of Interest
Questions
Group Policyin Microsoft Windows Active Directory
What is Active Directory Group Policy?
The Group Policy management solution in Microsoft® Windows Server™ 2003 allows administrators to define configurations for both servers and user machines. Local policy settings can be applied to all machines, and for those that are part of a domain, an administrator can use Group Policy to set policies that apply across a given site, domain, or range of organizational units (OUs) in the Active Directory® directory service. Support for Group Policy is available on machines running Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional, Microsoft Windows® XP Professional, and Windows Server 2003.
Overview
Control Internet Explorer Settings Control Computer/User Settings Software Distribution Windows Updates Much, Much More…..
Getting Started
Windows 2003 Active Directory
Group Policy Manager Plug-in
Creating a Policy
Choose an Organizational Unit
Create and Link GPO
Assigning a Policy
Policies Linked to this OU
Policies Inherited to this OU
Delegation of this OU
Defining Internet Explorer
Control the Functionality of IE Plug-Ins Menus Empty Temp Folder
Control the Security of IE Active X .NET Block Sites
Configuring an IE Policy
Define your Zones Internet Intranet Trusted Restricted
Define your Settings Apply Policy to an OU
ZONES
1 – Intranet
2 – Trusted
3 – Internet
4 - Restricted
Control User/Computer Settings Configure the Desktop
Hide icons/menus Dictate wallpaper
Control Software Installation or Use Prohibit software from being installed or uninstalled Prohibit software from being run
Lockdown Administrator Functions Network or security settings
Configure Windows Firewall
Configure a Desktop Policy
Software Distribution
Automatically Install Software at Logon Publish Software Remove Software Update Software
Configure a Software Install Policy
Install a Software Package on Logon The software will be installed when the user logs
on Publish a Software Package
The software will be available through “Add/Remove Programs”
Redeploy a Software Package The package will be redeployed (Update or New
Version) Uninstall a Software Package
The software will be removed
Install Path to MSI File
Managing Windows Updates
Create a policy to use the Windows Update Services server Assign WSUS Server Assign WSUS Groups
Install and Configure WSUS
Windows System Update Server
Updates for Windows, Office, Exchange Server, and SQL Server, with additional product support over time
Automatic download of specific updates Automated actions for updates, determined by
administrator approval Ability to determine the applicability of updates before
installing them Targeting Reporting
How WSUS Works
Downloads selected updates to central update server
Release updates to specified groups
Report on status of updates
Computer Name Operating SystemLast Status ReportComputer Group
Update Name Update TypeRelease DateApproval
Install
Detect only
Not Approved
ReportingComputer Name
Status Type
InstalledNeededNot NeededUnknownFailedLast Updated
Update Title
Questions
Tools
GPResultAdmxGroup Policy Manager
True Last Logonhttp://www.dovestones.com/products/True_Last_Logon.asp
What AD Policies am I getting?
Open a command windowType gpresult
GPRESULT
Export Group Policy Settings
AdmX.exe: ADM File ParserCategoryThe ADM File Parser (AdmX) is a command-line tool that enables an administrator to export Group Policy settings to a tab-delimited text file. The administrator can then use the text produced by ADM File Parser (AdmX) to find changes for the policy settings between different versions of the operating systems. AdmX is for use only with policies based on administrative templates.
Version compatibilityThe AdmX.exe tool runs on Windows 2000, Windows Server 2003, and Windows XP Professional. AdmX.exe also requires the Microsoft .NET Framework 1.0.
Group Policy Manager
Questions
top related