Anda di halaman 1dari 13

CIS288 Security Design in a Windows 2003 Environment

CIS288 Securing Active Directory

Objectives
When you complete this lesson you will be able to: Design an access control strategy for directory services Establish account and password requirements for security Analyze auditing requirements Create a delegation strategy Design the appropriate group strategy for accessing resources Design a permission structure for directory service objects

Designing an Access Control Strategy for Directory Services


2 Strategies:
Access Control

What you need is the perfect blend between access and control for your environment.

Analyzing Risks to Directory Services


Todays networks are so diversified and large that it is imperative to understand the vulnerabilities that an attacker can use to create risks within your directory services architecture. Usernames Passwords Associated Risks

Establishing Account Security Policies


Establishing a strong account security policy is crucial, because the user account is the single most important entity in Active Directory that links to all rights and permissions on the network. Windows 2000 and Windows Server 2003 allows us to implement security on accounts via Group Policy.

Establishing Password Security


Windows 2000 and Windows Server 2003 both offer settings enforced through Group Policy that allow you configure tightened password security within your organization. The password policy has the following configurable settings:
Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store passwords using reversible encryption

Establishing Password Security (continued)


An Account lockout policy offers you an additional level of control and security by controlling how, when, and why an account can be locked out. The account lockout policy offers the following configurable settings:
Account lockout duration Account lockout threshold Reset account lockout counter after

Analyzing Auditing Data


Once youve configured your auditing policy, you need to be able to analyze it and make sense of it all. Windows provides a central repository where auditing and other events are stored for later analysis and troubleshooting. Event Viewer With the Event Viewer, you are able to:
Sort events by type, time, and other parameters Filter events View advanced event information Sort events Export the log file to an .EVT, .TXT, or .CSV file Connect to a remote computers Event Viewer

Creating a Delegation Strategy


One of the best enhancements that was introduced in Windows 2000 and continues in Windows Server 2003 is the ability to delegate administration. Delegation of authority can also be used to organize and isolate departmental or suborganizations in your environment. Delegated Administrators categories
Service Administrators Data Administrators

Creating a Delegation Strategy (continued)


Requirements will generally fall under the following two categories:
Isolation Autonomy

Selecting the Delegation Structure


Forest Domain OU

Designing the Appropriate Group Strategy for Accessing Resources


There are three group scopes that exist in Windows Server 2003:
Global groups Domain local groups Universal groups

Designing a Permission Structure for Data


The AGDLP calls for:
Adding domain users to global groups Adding global groups to Domain Local Groups Assigning domain local groups Permissions on resources. Adding domain users to Global groups Adding global groups to Universal groups Adding universal groups to Domain Local groups Assigning domain local groups Permissions on resources.

The AGUDLP and calls for:


Summary
Designing an Access Control Strategy for Directory Services Establishing Password Security Analyzing Auditing Data Designing a Permission Structure for Data