Computer Performance, Windows Server 2003

3CX Phone System for Windows - VOIP IP PBX

3CX Phone System for Windows -
VOIP IP PBX

Get your 5 free applications now

Application Publishing with 2X ApplicationServer

 

Security and Active Directory 2003

Guy RecommendsGFi Events Manager

A solution to monitor, manage and archive thousands of events that are generated by devices across the entire network. 
Download FREE trial

OpusFlow Exchange
Group Calendar

OpusFlow Exchange Group Calender

Introduction to Active Directory Security

When you plan your Active Directory Forest, take the time to consider security.  A few minutes planning could save you hours of rework and the cost of unnecessary domain controllers.

Topics for Active Directory Security

Criteria for a second domain

Back in the 1990's when NT 4.0 ruled the roost, the big problem was too many domains.  The cause was partly the size limitation of the SAM database and partly the culture of each manager wanting their own domain.  Active Directory removes the size limitations, so you now need to apply fresh criteria to deciding how many domains your need.  Here are some possible reasons:

Security - The need for different security policies

International incompatibility - Different languages, different encryption standards

Pure 'ring fence' security - Concept of a blank root domain

Directory Synchronization traffic - A valid reason for a second domain, but the reason is lack of bandwidth rather than a security limitations

My point is that security considerations are the prime reason for creating more domains.  More domains mean greater costs on domain controllers and increased complexity for configuration.  So have a good reason to create that second or third domain.

TrainSignal - Recommended Training VideosNetwork security is complex.  As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Network Security or go for a combination of modules.  See more about Network Security training here

Group Policy

Prevention is better than cure, and good group policy will prevent security breaches, for example:

  • Virus checking, Virus updates
  • Internet Explorer - Script settings
  • Blocking unauthorized driver installation
  • Controlling RAS and VPN
  • IPSEC settings
  • RIS Installation policy
  • EFS Recovery agents
  • Also Account Security
  • Naturally Group Policy has numerous setting not directly affecting security

Special Accounts and Groups

THE Administrator

The number one job that you can do to improve security is to rename the original administrator.  Why is this?  Every hacker know if its UNIX go for the ROOT user, if it's Windows go for administrator.  You could even create a spoof administrator account with no privileges and monitor if anyone tries to logon with that account.

Enterprise Admins

Only in the root domain do you find Enterprise Admins.  Members of this group can create accounts in any of the other domains so they are more powerful than than the Domain Admins or Local Administrators.  Best practice is to limit members of this group, or even leave it blank, only creating users when needed then deleting them.

Schema Admins

This group is needed when you extend the Schema as you install Exchange. Members of this group could cause havoc if they carelessly or recklessly experimented with he schema for no good business reason.

Related topics

 .

Google

Webcomputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.