module 6: designing active directory security in windows server 2008
TRANSCRIPT
![Page 1: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/1.jpg)
Module 6:Designing Active
Directory Security in Windows Server 2008
![Page 2: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/2.jpg)
Module Overview
• Designing AD DS Security Policies
• Designing AD DS Domain Controller Security
• Designing Administrator Security and Delegation
![Page 3: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/3.jpg)
Lesson 1: Designing AD DS Security Policies
• Fine-Grained Password Policies in Windows Server 2008
• What Are Fine-Grained Password Policies?
• Password Setting Object Attributes
• How PSOs Are Processed and Applied
• Guidelines for Designing Fine-Grained Password Policies
![Page 4: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/4.jpg)
Fine-Grained Password Policies in Windows Server 2008
Windows Server 2000
Windows Server 2003
Windows Server 2000
Windows Server 2003 Windows Server 2008Windows Server 2008
![Page 5: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/5.jpg)
What Are Fine-Grained Password Policies?
Fine-grained password policies:
• Apply only to user objects (or inetOrgPerson objects) and global security groups
• Cannot be applied to an organizational unit (OU) directly
Fine-grained password policies allow you to specify multiple password policies within a single domainFine-grained password policies allow you to specify multiple password policies within a single domain
• Do not interfere with custom password filters that you might use in the same domain
![Page 6: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/6.jpg)
Password Setting Object Attributes
PSOs have the following attributes:
• PSO link
• Precedence
• msDS-PSOAppliesTo
• msDS-PSOApplied
![Page 7: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/7.jpg)
How PSOs Are Processed and Applied
Direct
Indirect
PSO
PSO
PSO11
PSOLowest
Precedence Value
3322
PSOLowest
Precedence Value
33
PSO
PSO2211
![Page 8: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/8.jpg)
Guidelines for Designing Fine-Grained Password Policies
When designing Fine-Grained Password policies consider the following:
• Limit the number of PSOs you create for manageability
• Apply PSOs to groups rather than user accounts
• Assign a unique msDS-PasswordSettingsPrecedence value for each PSO
• Understand necessary permissions for managing PSOs:• Permissions for linking a PSO is given to the owner of the
PSO – not the owner of the linked group or user
• Settings on the PSO may be considered confidential
![Page 9: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/9.jpg)
Lesson: Designing AD DS Domain Controller Security
• Key Components that Affect Domain Controller Security
• Server Core as a Solution for Domain Controller Deployment
• What is the Security Configuration Wizard?
• Prerequisites for Deploying RODCs
• Administrator Role Separation on RODCs
![Page 10: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/10.jpg)
Key Components that Affect Domain Controller Security
When designing domain controller security, consider the following potential security risks:
• Additional applications and services installed Keep the domain controller clean of other applications
• Managing software update Use Windows Server Update Service 3.0
• Physical security Always store domain controllers in a secure location
• Local logons Only administrators should log on locally
• Domain controller security policy Use the default Domain Controllers OU
![Page 11: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/11.jpg)
Server Core as a Solution for Domain Controller Deployment
Server Core supports the following server roles:
Server Core reduces:
• Management requirements
• AD DS
• AD LDS
• DHCP Server
• DNS Server
• File Server
• Media Services
• Print Server
• Attack surface
• Disc space usage
• Servicing requirements
![Page 12: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/12.jpg)
What is the Security Configuration Wizard?
SCW in Windows Server 2008 allows you to:
The SCW provides you a detailed and comprehensive way to modify and enhance the security of domain controllersThe SCW provides you a detailed and comprehensive way to modify and enhance the security of domain controllers
• Disable unneeded services based on the server role
• Remove unused firewall rules and constrain existing firewall rules
• Define restricted audit policies
![Page 13: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/13.jpg)
Prerequisites for Deploying RODCs
The prerequisites for deploying an RODC are as follows:
• The RODC must forward authentication requests to a writable domain controller running Windows Server 2008 in the same domain
• The domain functional level must be Windows Server 2003 or higher
• The forest functional level must be Windows Server 2003 or higher
• You must run adprep /rodcprep once in the forest
• One writable domain controller in the domain must be running Windows Server 2008
![Page 14: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/14.jpg)
Administrator Role Separation on RODCs
Domain AdministratorDomain Administrator Local Administrator on an RODC
Local Administrator on an RODC
• Add and remove users and computers
• Update drivers
• Create OUs
• Change group membership
• Manage files and printers, install updates
• Install updates
![Page 15: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/15.jpg)
Lesson 3: Designing Administrator Security and Delegation
• What Are Administrative Autonomy and Isolation?
• Guidelines for Creating a Delegation Model
• Guidelines for Using and Securing Administrator Accounts
• Auditing Administrative Access
![Page 16: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/16.jpg)
What Are Administrative Autonomy and Isolation?
Autonomy - administrators have authority to manage resources independently; however, administrators with greater authority can take control away, if necessary
Autonomy - administrators have authority to manage resources independently; however, administrators with greater authority can take control away, if necessary
Isolation - administrators have authority to manage a resource independently; no other administrator can take control of the resource
Isolation - administrators have authority to manage a resource independently; no other administrator can take control of the resource
![Page 17: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/17.jpg)
Guidelines for Creating a Delegation Model
When creating a delegation model:
Represent every instance of every administrative role with a unique security group
Use security groups that represent roles for the sole purpose of delegating the roles
When delegating data management, as far as possible, delegate permissions only on OUs
Unless absolutely required, do not specify permissions on individual objects within an OU
When delegating a role, grant permissions that allow only the administrative tasks assigned to the role
![Page 18: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/18.jpg)
Guidelines for Using and Securing Administrator Accounts
The following are recommendations for securing administrator accounts:
Administrative tasks should be handled by administrative accounts
Administrators should always use User Account Control
Keep the number of users that are members of built-in administrative groups minimal
Legacy built in groups should be emptied from users
Separate Domain and Enterprise Administrator roles
Rename the Default Administrator Account
Create a decoy administrator account
![Page 19: Module 6: Designing Active Directory Security in Windows Server 2008](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e575503460f94b4f90b/html5/thumbnails/19.jpg)
Auditing Administrative Access
The Windows Server 2008 audit policy is divided into four subcategories:
• Directory Service Access
• Directory Service Changes
• Directory Service Replication
• Detailed Directory Service Replication
In Windows Server 2008, you can set up AD DS auditing with a audit subcategory to log old and new values when changes are made to objects and their attributes