planning a microsoft windows 2000 administrative structure designing default administrative group...
TRANSCRIPT
![Page 1: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/1.jpg)
Planning a Microsoft Windows 2000 Administrative Structure
Designing default administrative group membership
Designing custom administrative groups local security authority (LSA) functionality
Designing secure administrative access Designing secondary access Designing Telnet administration Designing Terminal Services administration
![Page 2: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/2.jpg)
Planning Administrative Group Membership
Designing default administrative groups Designing custom administrative groups
![Page 3: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/3.jpg)
Default Administrative Groups
Domain Local Groups Administrators Account Operators Server Operators Print Operators DHCP Administrators DNS Admins WINS Admins Pre–Windows 2000 Compatible Access Replicators
![Page 4: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/4.jpg)
Default Administrative Groups (Cont.)
Local Groups Power Users Backup Operators
![Page 5: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/5.jpg)
Default Administrative Groups (Cont.)
Global Groups Domain Admins Group Policy Creators Owners DNSUpdate Proxy
![Page 6: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/6.jpg)
Default Administrative Groups (Cont.)
Universal Groups Enterprise Admins Schema Admins
![Page 7: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/7.jpg)
Assessing Administrative Group Membership Design
Poor administrative group design negatively impacts network security.
Security is compromised if administrative group membership is not controlled.
![Page 8: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/8.jpg)
Auditing Group Membership
Microsoft Windows 2000 auditing and periodic manual audits of group membership should be verified against documented membership.
The network determines which administrative groups are audited.
Audits are achieved by Performing regularly scheduled manual inspections Using third-party products
![Page 9: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/9.jpg)
Using Restricted Groups to Maintain Group Memberships
Use the Restricted Groups option within Group Policy to predefine memberships within groups.
If members are added or deleted, membership is re-established based on the Group Policy.
Apply the Restricted Groups option at the site, domain, or OU level.
The Restricted Groups option provides two forms of protection for a defined group:
Protects membership in the group Limits the groups that the restricted group can be a
member of
![Page 10: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/10.jpg)
Making the Decision: Assessing Administrative Group Design
Determine exactly who must be a member of each administrative group.
Do not grant membership to a group that provides excess privileges.
Use the Restricted Groups option to ensure that only approved membership is maintained.
Ensure that membership is audited for these groups.
Scrutinize membership in the forest root domain's Domain Admins group.
![Page 11: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/11.jpg)
Applying the Decision: Defining Administrative Groups at Hanson Brothers
Administrative roles Stephanie Conroy: Performs backups and Group
Policy management Derek Graham: Manages Domain Name System
(DNS) and Dynamic Host Configuration Protocol (DHCP)
Steve Masters: Manages all user accounts, excluding administrative accounts
Kim Hightower: Restores network backups Yvonne Schleger: Manages schema design Eric Miller: Manages backup and restore, share
management, and services
![Page 12: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/12.jpg)
Designing Custom Administrative Groups
![Page 13: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/13.jpg)
Determining When to Create Custom Groups
Determine exactly what rights are required by a specific account.
Use custom groups to delegate specific rights to an account, rather than provide the account with excess privileges.
The Enterprise Admins universal group has a large number of rights in the forest root domain.
Membership in the Enterprise Admins group is required to perform specific security tasks in a Windows 2000 forest.
![Page 14: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/14.jpg)
Enterprise Admins Group Security Tasks
Creating new domains and new domain controllers (DCs) in the forest
Authorizing Remote Installation Services (RIS) and DHCP servers in Active Directory
Installing Enterprise Certification Authorities Managing sites and subnets
![Page 15: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/15.jpg)
Making the Decision: Creating Custom Administrative Groups
Determine that an existing administrative security group does not meet security requirements.
Determine what rights are required by the custom administrative groups.
Determine if the necessary administrative rights can be delegated.
Determine what objects are accessed by the permissions.
Create a domain local group that will be assigned the desired permissions and rights.
![Page 16: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/16.jpg)
Applying the Decision: Creating Custom Administrative Groups at Hanson Brothers
![Page 17: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/17.jpg)
Securing Administrative Access to the Network
Designing secure administrative access Designing secondary access Designing Telnet administration Designing Terminal Services administration
![Page 18: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/18.jpg)
Administrative Access Methods
Require smart card logon. Restrict which workstation administrators can
log on to. Configure logon hours. Enforce strong passwords. Rename the default administrator account.
![Page 19: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/19.jpg)
Requiring Smart Card Logon
![Page 20: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/20.jpg)
Restricting Administrative Access
![Page 21: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/21.jpg)
Making the Decision: Securing Administrative Access
Restrict administrative access to specific workstations.
Protect administrative passwords. Protect the administrator account from being
compromised.
![Page 22: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/22.jpg)
Applying the Decision: Securing Administrative Access at Hanson Brothers
Rename the administrator account. Create dedicated administrative accounts. Protect administrative accounts.
![Page 23: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/23.jpg)
Designing Secondary Access:Understanding the RunAs Service
![Page 24: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/24.jpg)
Making the Decision: Implementing the RunAs Service
The RunAS service does not provide facilities for smart card logon.
There are several ways to launch the RunAs service.
Use a standard prefix for administrative accounts.
Create a usage policy for administrative accounts on the network.
![Page 25: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/25.jpg)
Applying the Decision: Implementing the RunAs Service at Hanson Brothers
Administrative tasks can be performed without logging on to the administrative account.
Define a policy that requires all administrative users to use the RunAs service to launch administrative tasks.
Ensure that no administrative users require smart card logon, because the RunAs service does not support smart cards.
![Page 26: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/26.jpg)
Designing Telnet Administration
Windows 2000 includes the Telnet Service to perform remote administration from the command line.
Telnet Service can only be run with text-based utilities, such as scripts and batch files.
Use the RunAs command or Terminal Services to run utilities requiring GUI interfaces.
By default, Telnet uses clear text for transmitting authentication and screen data.
NTLM authentication can exclude UNIX clients from accessing the Telnet Service.
Use IPSec to encrypt all transmitted data.
![Page 27: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/27.jpg)
Making the Decision: Implementing Telnet Service
All management commands can be performed from a text-based utility.
Consider using NTLM authentication to protect the authentication credentials transmitted to Telnet Services.
Use IPSec to encrypt all data transmitted between the client and server.
![Page 28: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/28.jpg)
Applying the Decision: Implementing Telnet Service at Hanson Brothers
Telnet can be used only for text-based utilities. Telnet must not be configured to use NTLM for
authentication because one administrator is using a UNIX SPARC workstation.
IPSec must be configured to encrypt all administrative Telnet sessions.
![Page 29: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/29.jpg)
Designing Terminal Services Administration
![Page 30: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/30.jpg)
Assessing Terminal Services Administration: Application Mode
Allows multiple connections by regular user accounts that have been granted Terminal Services access in Active Directory Users And Computers.
Additional security can be configured by applying the Notssid.inf security template.
![Page 31: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/31.jpg)
Assessing Terminal Services Administration: Remote Administration Mode Configure Terminal Services to run in Remote
Administration mode. Limits connections to two concurrent
connections. Only members of the Administrators group are
allowed to connect to the terminal server.
![Page 32: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/32.jpg)
Making the Decision: Using Terminal Services Administration
Use Terminal Services to Limit which utilities can be run by a Terminal
Services client Restrict access to Terminal Services to
administrative personnel only Secure transmission of data between the Terminal
Services client and the terminal server Prevent excess rights to domain controllers
Determine Terminal Services access based on individual user permission.
Allow access to Terminal Services from the widest range of platforms.
![Page 33: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/33.jpg)
Applying the Decision: Implementing Terminal Services at Hanson Brothers
Restrict Terminal Services to administrators by using Remote Administration mode.
Deploy Terminal Services Advanced Client to allow clients running other OSs, but using Microsoft Internet Explorer, to perform administrative tasks in the Windows 2000 domain.
Use Terminal Services Advanced Client for the administrator using a UNIX SPARC workstation.
![Page 34: Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local](https://reader036.vdocument.in/reader036/viewer/2022062520/56649f045503460f94c17ae8/html5/thumbnails/34.jpg)
Chapter Summary
Assessing administrative group membership Designing custom administrative groups Securing administrative access to the network Designing secondary access Designing Telnet administration Designing Terminal Services administration