Vous êtes sur la page 1sur 31

Security Planning and Administrative Delegation

Lesson 6

Skills Matrix
Technology Skill Creating an OU Structure Objective Domain Maintain Active Directory accounts Objective # 4.2

Naming Standard User logon names will typically follow a corporate naming standard set forth during the planning stages of an Active Directory deployment.
You will usually create a naming standards document to outline the rules for naming all Active Directory objects. This document will specify conventions such as the number and type of characters to use when creating a new object in Active Directory.

Strong Passwords Since user names are often easily guessed, it is essential to have strong passwords:
At least eight characters in length. Contains uppercase and lowercase letters, numbers, and non-alphabetic characters. At least one character from each of the previous character types. Differs significantly from other previously used passwords.

Strong Passwords
A strong password should not be left blank or contain any of the following information: Your user name, real name, or company name. A complete dictionary word. Windows passwords for Windows Server 2008, Windows Vista, Windows Server 2003 and Microsoft Windows XP clients can be up to 127 characters in length.

Strong Passwords

If you use group policies to enforce strong passwords:


Must be at least seven characters. Must contain three of the four types (uppercase and lowercase letters, numbers, and non-alphabetic characters). Cannot contain your user name or real name.

Authentication Authentication is the process of proving who you are. There are multiple methods of authentication:
What you know (password or PIN). Who you are (retinal scan or thumb print). What you have (smart card).

Some of these methods can be used so that users no longer need to remember passwords.

Smart Card Smart cards are cards about the size of a credit card. Login information can be stored on the smart card, making it difficult for anyone except the intended user to use or access it. Security operations, such as cryptographic functions, are performed on the smart card itself rather than on the network server or local computer. This provides a higher level of security for sensitive transactions.

Implementing Smart Cards for Authentication Smart cards can be used from remote locations, such as a home office, to provide authentication services. The risk of remote attacks using a username and password is significantly reduced by smart cards.

Implementing Smart Cards for Authentication Requires Active Directory Certificate Services. Smart cards for authentication must be enabled in the user account properties.

Using Run As from the GUI From the Start button, navigate to the application you wish to run. Press and hold the Shift key and right-click the desired application. Select the Run as administrator option.

Administrative Accounts
You should not use an account possessing administrative privileges for daily tasks, such as browsing the Web or monitoring email. Administrative accounts should be reserved for tasks that require administrator privileges. Using the Administrator account or an account that is a member of Domain Admins, Enterprise Admins, or Schema Admins for daily tasks offers an opportunity for hackers to attack your network and potentially cause severe and irreversible damage. Limiting the use of the Administrator account for daily tasks, such as email, application use, and access to the Internet, reduces the potential for this type of damage.

Run as Administrator and Runas Command


The recommended solution for reducing the risks associated with the Administrator account is to use a standard user account and the Run as administrator option in the GUI or the runas command-line tool when it is necessary to perform an administrative task.
The Run as administrator or runas option allows you to maintain your primary logon as a standard user and creates a secondary session for access to an administrative tool. During the use of a program or tool opened using Run as administrator or runas, your administrative credentials are valid only until you close that program or tool.

Run as Administrator and Runas Command Run as administrator and runas require the Secondary Logon service to be running. The runas command-line tool is not limited to administrator accounts. You can use runas to log on with separate credentials from any account. This can be a valuable tool in testing resource access permissions.

Using Run As from the GUI


If you are using User Account Control, you may be prompted for administrative credentials when performing system tasks You can access the Run as Administrator option if you by find the program you want to start from the Start button, and press and hold the Shift key, right-click the desired application, and select the Run as administrator option. You can also use the runas command, such as: runas /user:lucernepublishing.com\domainadmin mmc %windir%\system32\dnsmgmt.msc

Organizational Units Can be created to represent your companys functional or geographical model. Can be used to delegate administrative control over a containers resources to lower-level or branch office administrators. Can be used to apply consistent configuration to client computers, users and member servers.

Creating an Organizational Unit To create an organizational unit, you would use the Active Directory Users and Computers console.

Delegation of Control Creating OUs to support a decentralized administration model gives you the ability to allow others to manage portions of your Active Directory structure, without affecting the rest of the structure.
Delegating authority at a site level affects all domains and users within the site. Delegating authority at a domain level affects the entire domain. Delegating authority at the OU level affects only that OU and its hierarchy.

Delegation of Control Using the Delegation of Control Wizard, you utilize a simple interface to delegate permissions for domains, OUs, or containers.
The interface allows you to specify to which users or groups you want to delegate management permissions and the specific tasks you wish them to be able to perform. You can delegate predefined tasks, or you can create custom tasks that allow you to

Delegating Administrative Control of an OU Open Active Directory Users and Computers. Right-click the object to which you wish to delegate control, and click Delegate Control. Click Next on the Welcome to the Delegation of Control Wizard page.

Delegating Administrative Control of an OU

Delegating Administrative Control of an OU

Delegating Administrative Control of an OU

Verifying and Removing AD Permissions Must Enable Advanced Features in Active Directory Users and Computers.
Found in the View menu.

Then right-click an OU or an account and select Properties. Select the Security tab.

Verifying and Removing AD Permissions

Moving Objects within Active Directory


Windows Server 2008 allows you to restructure your Active Directory database by moving leaf objects such as users, computers, and printers between OUs, in addition to moving OUs into other OUs to create a nested structure. When you move objects between OUs in a domain, permissions that are assigned directly to objects remain the same. Objects inherit permissions from the new OU. All permissions that were inherited previously from the old OU no longer affect the objects.

Moving Objects within Active Directory Windows Server 2008 provides two methods for moving objects between OUs in the same domain:
Drag-and-drop within Active Directory Users and Computers.
If you wish to move multiple objects, press and hold the Ctrl key while selecting the objects you wish to move.

Use the Move menu option within Active Directory Users and Computers. You can also use the dsmove command.

Summary Creating a naming standards document will assist in planning a consistent Active Directory environment that is easier to manage. Securing user accounts includes educating users to the risks of attacks, implementing a strong password policy, and possibly introducing a smart card infrastructure into your environment.

Summary
As part of creating a secure environment, you should create standard user accounts for administrators and direct them to use Run as administrator or runas when performing administrative tasks. When planning your OU structure, consider the business function, organizational structure, and administrative goals for your network.
Delegation of administrative tasks should be a consideration in your plan.

Summary Administrative tasks can be delegated for a domain, OU, or container to achieve a decentralized management structure.
Permissions can be delegated using the Delegation of Control Wizard. Verification or removal of these permissions must be achieved through the Security tab in the Properties dialog box of the affected container.

Summary Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the dragand-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.

Vous aimerez peut-être aussi