Introduction to Active Directory Security
When you plan your Active Directory Forest, take the time to consider security. A few minutes planning could save you hours of rework and the cost of unnecessary domain controllers.
Topics for Active Directory Security
Back in the 1990’s when NT 4.0 ruled the roost, the big problem was too many domains. The cause was partly the size limitation of the SAM database and partly the culture of each manager wanting their own domain. Active Directory removes the size limitations, so you now need to apply fresh criteria to deciding how many domains your need. Here are some possible reasons:
Security – The need for different security policies
International incompatibility – Different languages, different encryption standards
Pure ‘ring fence’ security – Concept of a blank root domain
Directory Synchronization traffic – A valid reason for a second domain, but the reason is lack of bandwidth rather than a security limitations
My point is that security considerations are the prime reason for creating more domains. More domains mean greater costs on domain controllers and increased complexity for configuration. So have a good reason to create that second or third domain.
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!
Prevention is better than cure, and good group policy will prevent security breaches, for example:
- Virus checking, Virus updates
- Internet Explorer – Script settings
- Blocking unauthorized driver installation
- Controlling RAS and VPN
- IPSEC settings
- RIS Installation policy
- EFS Recovery agents
- Also Account Security
- Naturally Group Policy has numerous setting not directly affecting security
The number one job that you can do to improve security is to rename the original administrator. Why is this? Every hacker know if its UNIX go for the ROOT user, if it’s Windows go for administrator. You could even create a spoof administrator account with no privileges and monitor if anyone tries to logon with that account.
Only in the root domain do you find Enterprise Admins. Members of this group can create accounts in any of the other domains so they are more powerful than than the Domain Admins or Local Administrators. Best practice is to limit members of this group, or even leave it blank, only creating users when needed then deleting them.
This group is needed when you extend the Schema as you install Exchange. Members of this group could cause havoc if they carelessly or recklessly experimented with he schema for no good business reason.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
If you like this page then please share it with your friends