Security Planning and Security Planning and Administrative Administrative

DelegationDelegationLesson 6

Skills MatrixSkills Matrix

Technology Skill Objective Domain Objective #

Creating an OU Structure Maintain Active Directory accounts

4.2

Lesson 6Lesson 6

Configuring Strong Passwords

At least eight characters in length

Contains uppercase and lowercase letters, numbers, and nonalphabetic characters

At least one character from each of the previous character types

Differs significantly from other previously used passwords

Lesson 6Lesson 6

Implementing Smart Cards for Authentication

Users no longer need to remember passwords.

All information is stored on the smart card, making it difficult for anyone except the intended user to use or access it.

Security operations, such as cryptographic functions, are performed on the smart card itself rather than on the network server or local computer. This provides a higher level of security for sensitive transactions.

Lesson 6Lesson 6

Implementing Smart Cards for Authentication (cont.)

Smart cards can be used from remote locations, such as a home office, to provide authentication services.

The risk of remote attacks using a username and password is significantly reduced by smart cards.

Lesson 6Lesson 6

Installing Active Directory Certificate Services

Click Start, and then select Server Manager.

Click Roles, and then select Add roles.

On the Select Server Roles screen, place a checkmark next to Active Directory Certificate Services and click Next.

Click Next after you read the information displayed.

Lesson 6Lesson 6

Installing Active Directory Certificate Services (cont.)

Select the Certification Authority component, and click Next to continue.

Select Enterprise and click Next to continue.

Lesson 6Lesson 6

Installing Active Directory Certificate Services (cont.)

Select Root CA, and click Next to continue.

Select Create a new private key, and click Next to continue.

On the Configure Cryptography for CA screen, click Next to accept the default values for the cryptographic service provider (CSP), key character length, and hash algorithm.

Lesson 6Lesson 6

Installing Active Directory Certificate Services (cont.)

Click Next to accept the default values.

On the Set the Certificate Validity Period screen, select a validity period of 2 years, and click Next to continue.

Lesson 6Lesson 6

Installing Active Directory Certificate Services (cont.)

Click Next to accept the default values and continue.

Click Install after you confirmed your installation choices.

Click Close after the installation has completed.

Lesson 6Lesson 6

Enabling a User Account for Smart Card Authentication

Open Active Directory Users and Computers.

Navigate to the container holding the user you wish to modify.

Right-click the user account, and select Properties.

Lesson 6Lesson 6

Enabling a User Account for Smart Card Authentication (cont.)

In the Properties dialog box, select the Account tab.

In the Account Options list, click Smart Card Is Required For Interactive Logon, and then click OK.

Lesson 6Lesson 6

Using Run As from the GUI

From the Start button, navigate to the application you wish to run.

Press and hold the Shift key, and right-click the desired application.

Select the Run as administrator option.

Lesson 6Lesson 6

Using Run As from the GUI (cont.)

If you are already logged on as an administrative user, you will be presented with a User Account Control confirmation dialog box.

Click Continue to launch the selected program using administrative credentials.

Lesson 6Lesson 6

Delegating Administrative Control of an OU

Open Active Directory Users and Computers.

Right-click the object to which you wish to delegate control, and click Delegate Control.

Click Next on the Welcome to the Delegation of Control Wizard page.

Click Add on the Users or Groups page.

Lesson 6Lesson 6

Delegating Administrative Control of an OU (cont.)

In the Select Users, Computers, or Groups dialog box, key the user or group to which you want to delegate administration in the Enter the object names to select box, and click OK.

Click Next to proceed.

Click Create a custom task to delegate, and click Next.

Lesson 6Lesson 6

Delegating Administrative Control of an OU (cont.)

Click This folder, existing objects in this folder, and creation of new objects in this folder.

Click Next to proceed.

Lesson 6Lesson 6

Delegating Administrative Control of an OU (cont.)

On the Permissions page shown in Figure 6-9, set the delegated permissions according to your needs for the user or group that has delegated control.

After selecting the appropriate permissions, click Next to proceed.

Review your choices carefully, and click Finish.

Lesson 6Lesson 6

Verifying and Removing Delegated Permissions

Open Active Directory Users and Computers.

Click the View menu, and then click Advanced Features.

Navigate in the left pane to the object for which you wish to verify delegated permissions, right-click the object, and select Properties.

On the Security tab, click Advanced.

Lesson 6Lesson 6

Verifying and Removing Delegated Permissions (cont.)

On the Permissions tab under Permissions entries, view the assigned permissions.

Select the user or group for which you wish to remove delegated control privileges, and click Remove.

Click OK twice to exit the Properties window.

Lesson 6Lesson 6

Moving an Object Between OUs Using Drag-and-Drop

In Active Directory Users and Computers, select the object you wish to move.

If you wish to move multiple objects, press and hold the Ctrl key while selecting the objects you wish to move.

While holding down the left mouse button, drag the object to the desired destination OU and release the mouse. The object will appear in its new location.

Lesson 6Lesson 6

Moving an Object Between OUs Using the Move Option

In Active Directory Users and Computers, select the object you wish to move.

If you wish to move multiple objects, press and hold the Ctrl key while selecting the objects you wish to move.

Right-click the selected object(s), and select Move from the shortcut menu.

Lesson 6Lesson 6

Moving an Object Between OUs Using the Move Option (cont.)

In the Move dialog box, select the container object that is the destination for the selected objects, and click OK.

SummarySummary

You Learned

Creating a naming standards document will assist in planning a consistent Active Directory environment that is easier to manage.

Securing user accounts includes educating users to the risks of attacks, implementing a strong password policy, and possibly introducing a smart card infrastructure into your environment.

SummarySummary

You Learned (cont.)

As part of creating a secure environment, you should create standard user accounts for administrators and direct them to use Run as administrator or runas when performing administrative tasks.

When planning your OU structure, consider the business function, organizational structure, and administrative goals for your network. Delegation of administrative tasks should be a consideration in your plan.

SummarySummary

You Learned (cont.)

Administrative tasks can be delegated for a domain, OU, or container to achieve a decentralized management structure. Permissions can be delegated using the Delegation of Control Wizard. Verification or removal of these permissions must be achieved through the Security tab in the Properties dialog box of the affected container.

SummarySummary

You Learned (cont.)

Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the drag-and-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.