SECURITY PLANNING AND ADMINISTRATIVE DELEGATION

1
SECURITY PLANNING AND ADMINISTRATIVE DELEGATION

• Chapter 6

2
NAMING STANDARDS

• Determine the standard for creating user account
  names
• First initial, last name
• First name, last initial, and so on
• Naming standards document
• Defines how user logon names should be created
• Part of appropriate planning for Active Directory

3
WAYS TO SECURE USER ACCOUNTS

• Education of users
• Strong passwords
• Smart cards
• Biometrics

4
EDUCATING USERS

• Use strong passwords
• Keep passwords secure
• Dont write down passwords on paper or leave them
  in visible places.
• Dont share passwords.
• Dont save passwords to your computer.

5
STRONG PASSWORDS

• Combination of at least 7 Upper and lower case
  letters, numbers, and symbols.
• At least one character of each type
• Alternate characters make passwords extra secure
• When changing passwords, vary them by more than
  one character.
• Dont use your username, real name, or company
  name.
• Dont use words from the dictionary.

6
SMART CARD AUTHENTICATION
7
ENTERPRISE CERTIFICATION AUTHORITY REQUIRED
8
SMART CARD BENEFITS INCREASED SECURITY

• Keystroke loggers cannot capture passwords
  because users will not be typing them.
• Password complexity is not something you have to
  teach or enforce upon your users.
• Users will not be writing passwords on paper or
  sharing them.
• Security risks related to password cracking or
  remote attacks are greatly reduced.

9
SMART CARD CONSIDERATIONS

• Additional software and administration.
• Certification authority (CA)
• Internet Information Server (IIS) to distribute
  smart cards
• Need smart card readers for client computers.
• Users could lose or forget their smart cards.
• Users may be tempted to write their PIN on their
  smart card.

10
ENABLING A USER ACCOUNT FOR SMART CARD
AUTHENTICATION
11
ADMINISTRATOR ACCOUNT SECURITY

• Strong password (rotate frequently).
• Cannot hide the default administrative account
  from the experienced hacker (RID of 500).
• Dont use for daily tasks you can use the Run As
  utility to increase privilege when required.
• Allows you to use another users credentials
  without a log off event
• Must be logged on interactively
• Requires secondary logon service

12
ORGANIZATIONAL UNIT (OU) STRUCTURE

• Representing the company model
• Delegation of administrative control
• Group Policy
• Hide objects within Active Directory

13
DELEGATING ADMINISTRATIVE RESPONSIBILITY

• OUs can help to decentralize administrative
  control.
• You can give certain users or groups permissions
  to perform specific tasks within particular OUs.
• Reset passwords.
• Create and delete user accounts.

14
IMPLEMENTING GROUP POLICIES

• Covered in greater depth in the following
  chapters.
• Allows you to subdivide the organization based on
  the controls youd like to implement.
• Subdividing reduces the amount of Group Policy
  processing that computers must perform.
• Faster user logons
• Quicker computer startups

15
HIDING OBJECTS

• Can prevent users from seeing objects inside OUs
  to which they do not have Read access
• Modify the Access Control List (ACL) on the OU
• In order to see the OU ACL, you must enable
  Advanced Features on the View menu.
• Remove Read permission to Authenticated Users.
• Set appropriate permissions for the users youd
  like to see the object.

16
CREATING AN OU STRUCTURE

• Limit the number of nested OUs.
• Three to five layers are typical.
• Most agree that ten or more layers are excessive.
• Book icon.
• First-level OUs are directly below the domain.

17
PYRAMID OU STRUCTURE
cohowinery
.
com
Location
1
Location
3
Location
2
Accounting
Production
Sales
Marketing
Administration
18
FLAT OU STRUCTURE
cohowinery
.
com
Accounting
Location
1
Location
2
Location
3
Production
Sales
Marketing
Administration
19
USING OUs TO DELEGATE ACTIVE DIRECTORY MANAGEMENT
TASKS

• Compartmentalizes administration
• Limit the number of administrators that have
  access to the entire domain or forest
• Limit the scope of administrative control
• Reset passwords.
• Create and manage user accounts.
• Create computer accounts.
• Limits the scope of errors

20
DELEGATION OF CONTROL WIZARD
21
VERIFYING AND REMOVING DELEGATED PERMISSIONS

• Cannot use the Delegation Of Control Wizard to
  remove permissions
• Must modify the ACL of the OU
• Need to be sure Advanced Features is enabled on
  the View menu
• Security tab is then visible.
• You can modify permissions for users and groups.

22
MOVING OBJECTS BETWEEN OUs

• Drag and drop from one location to the other in
  Active Directory Users And Computers
• Move menu option
• Dsmove
• Movetree

23
PERMISSIONS

• Those assigned directly to the OU remain
• Those inherited are removed and replaced with
  permissions inherited from new parent OU or domain

24
SUMMARY

• Examples of naming standards.
• User account security.
• Passwords
• User education
• Smart cards
• Reduce use of privileged accounts by using the
  Run As utility.
• What should you consider when designing an OU
  structure?
• What wizard can you use to delegate control? What
  is a limitation of this wizard?
• Name several ways to move objects from one OU to
  another.