Identity Management
Identity Management

The Administrator Shortcut Guide to Active Directory Security

by Derek Melber


Written by distinguished authors Derek Melber, Dave Kearns, and Beth Sharesh, The Administrator Shortcut Guide to Active Directory Security shows you how to apply Group Policies, create effective Group Policy design and implementation, overcome the lack of auditing functionality in Microsoft tools, create best practices for delegating control in Active Directory (AD), and implement best practices and AD solutions.


Chapter 1: Directory Security

For all networks, systems administrators must keep track of who is accessing the network as well as control each user’s access to the various network resources. In most networks, information about users and their access rights are stored in a directory that provides user authentication and access control services.

A directory service typically contains sensitive information about the user and service accounts that have access to the enterprise network and information regarding directory-enabled applications and services as well as other network resources. This information is sensitive in that the unregulated disclosure and/or disruption in the provision of this information and related services can interfere with business operations.

Directory security is fundamentally focused on protecting information, service, and resource assets accessible through the enterprise network. In addition to protecting information stored within the directory, the authorization and access control mechanisms provided by the directory service protect the services and information stored within your network. Implementing security for the information contained in and the resources protected by Microsoft’s directory service implementation—Active Directory (AD)—is not a simple task. Although AD provides powerful management capabilities, these features introduce complexities. You must understand AD, the network, the corporate environment, and the potential threats and vulnerabilities before you can effectively implement security. In this chapter, we’ll explore directory security at a high level before moving onto an exploration of the possible threats and approaches to managing the directory service and information from a security perspective. In later chapters, we’ll delve into how the design of the directory impacts security and administration, then we’ll take an in-depth look into Group Policies and delegation of directory administration.

Chapter 2: Active Directory Security

AD security is not a single setting; it is a compilation of settings that is multifaceted and can become very complex. The default AD security settings handle the basic control of objects such as user accounts, group accounts, and computer accounts. For small companies, this default configuration might be sufficient. For larger companies, the built-in security will be quickly outgrown quickly and additional security settings and design must be considered and implemented. Regardless of the size of the company, a firm grasp of AD security settings is necessary to ensure a secure and stable IT infrastructure.

If security is not established early in the AD environment, the entire environment can spiral out of control quickly. This spiraling is a result of the number of security settings that can be set, which grows almost exponentially as additional objects and features are added to AD—consider that a single OU has nearly 1000 permissions that can be set to control its contents. This complexity requires consideration as early as possible in the implementation of AD. During the design phase of AD, the security of AD objects should be considered and documented. The objects that need to be considered for security include:

  • Domain controllers
  • Servers
  • Client computers
  • User accounts
  • Group accounts
  • OUs
  • GPOs

The security that you design for AD must be implemented properly to be effective. Failure to follow your design documents can leave AD vulnerable to attacks from both within and outside of the LAN. In addition, AD security is very difficult to audit and track if not set up properly. In some cases, it will be easier to start over rather than to attempt to secure the AD environment after it has been installed and configured with many objects, settings, and features.

Another key aspect of AD security is management. The management phase is critical because it is at this stage that ongoing AD security must be maintained. Whether it is giving users the ability to add members to groups or locking down computers that are located in the reception area, the management of the security for AD must be procedural and consistent.

In this chapter, we will explore delegation of administration within AD as well as the implications of AD structural design on security. Determining the best AD design for your environment is an important part of effective security. In addition, a key factor in AD security is directory administration.

Chapter 3: Group Policies

So far, this guide has provided an introduction to a directory service as well as many of the security considerations that you must manage to keep all objects secure. In addition, we have explored Microsoft AD, with all of its security control mechanisms. You should have a good understanding of the AD infrastructure areas that will require the most attention in order to protect your assets. The assets that need to be protected include user accounts, group accounts, data files, databases, and OS files.

In the previous chapter, we discussed the various methods that administrators have at their disposal to control these AD assets. We focused much of the discussion on delegation of administration, which allows administrators to offload many routine and mundane administrative tasks onto junior administrators, Help desk workers, and other employees of the company. GPOs are of particular interest for delegation, as they enable administrators to control the ability to create, link, edit, and view GPOs.

Before we dive into who will manage GPOs—we will tackle the details of controlling the management of GPOs in the next chapter—we must first establish a foundation of knowledge by exploring the basics of GPOs. One of the most important aspects of a GPO is its ability to control security for user and computer accounts in the domain. A GPO has almost 1000 policy settings. The security settings are spread throughout the structure of the GPO, so simply finding a specific GPO setting can be a daunting task. This chapter will lay out the structure of a GPO, indicating where the essential security policies reside, allowing you to efficiently find the settings that you need.

Once you’re familiar with how a GPO is structured, it is important to understand how the GPOs interact with one another. This interaction follows routine inheritance rules, which is an aspect of GPOs that can be very frustrating as a result of the complexity. We will explore when, why, and how to use the tools that control inheritance of GPOs, tackling terms such as no override, block policy inheritance, security group filtering, and Windows Management Instrumentation (WMI) filtering.

As in the previous chapter, we will stress the point that AD, security, and GPOs must be designed. Failing to consider security and GPOs during the design of AD almost ensures disaster. The reason is the complexity that results from GPO implementation. Let’s begin by defining policy-based security.

Chapter 4: Delegating Administrative Control

Delegation of administrative control might be the sole reason you moved from your old directory service to AD. Many want to move to AD to take advantage of the efficiency, security, scalability, and ROI that delegation provides. The ability to provide detailed task privileges to all areas of the IT staff, as well as to non-IT professionals, is why delegation is so useful.

There are many tasks that can be delegated within AD, but they can all be broken down into two categories: data administration and service administration. Data administrators control the resources that are stored in AD, such as user, group, and computer accounts. They also control member servers and the resources that reside on these computers. The administrative responsibilities that are associated with these tasks are broken down into categories to help organize the delegation that must occur to get all of the tasks done. Once the categories are created and the AD design finalized to include data administration, the delegation of these tasks can be completed. Delegation of data administration is provided within AD by giving data administrative groups permission over the objects that they will control.

Service administration and the delegation of the related tasks differ greatly from data administration. Service administration controls the directory service, ensuring it is configured properly, available, and stable. Service administration is typically delegated by adding user accounts to existing groups that already have privileges to control aspects of AD administration. These groups and additional groups are configured with user rights on domain controllers to give them additional delegated privileges. These delegated tasks are assigned from categories that organize the different AD administration tasks necessary to keep AD running.

You must begin delegating within AD early in the directory implementation. This best practice is one of many that you will be introduced to with regard to delegation of administration in AD. This chapter will also explore additional AD delegation best practices in areas such as logical and structured designs, the use of roles, and a clear understanding of your delegation model.

Once the delegation is implemented, the job is not done. You will still need to monitor and control the delegation for the production environment. This task typically can be broken down into three areas: logging, monitoring, and auditing. Each area is critical to ensuring that security within AD is maintained. Finally, we will take a look at tools that can help you complete your delegation within AD.