Security and Active Directory 2003

Introduction to Active Directory Security

When you plan your Active Directory Forest, take the time to consider security.  A few minutes planning could save you hours of rework and the cost of unnecessary domain controllers.

Topics for Active Directory Security


Criteria for a Second Domain

Back in the 1990’s when NT 4.0 ruled the roost, the big problem was too many domains.  The cause was partly the size limitation of the SAM database and partly the culture of each manager wanting their own domain.  Active Directory removes the size limitations, so you now need to apply fresh criteria to deciding how many domains your need.  Here are some possible reasons:

Security – The need for different security policies

International incompatibility – Different languages, different encryption standards

Pure ‘ring fence’ security – Concept of a blank root domain

Directory Synchronization traffic – A valid reason for a second domain, but the reason is lack of bandwidth rather than a security limitations

My point is that security considerations are the prime reason for creating more domains.  More domains mean greater costs on domain controllers and increased complexity for configuration.  So have a good reason to create that second or third domain.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1. Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

Group Policy

Prevention is better than cure, and good group policy will prevent security breaches, for example:

  • Virus checking, Virus updates
  • Internet Explorer – Script settings
  • Blocking unauthorized driver installation
  • Controlling RAS and VPN
  • IPSEC settings
  • RIS Installation policy
  • EFS Recovery agents
  • Also Account Security
  • Naturally Group Policy has numerous setting not directly affecting security

Special Accounts and Groups

THE Administrator

The number one job that you can do to improve security is to rename the original administrator.  Why is this?  Every hacker know if its UNIX go for the ROOT user, if it’s Windows go for administrator.  You could even create a spoof administrator account with no privileges and monitor if anyone tries to logon with that account.

Enterprise Admins

Only in the root domain do you find Enterprise Admins.  Members of this group can create accounts in any of the other domains so they are more powerful than than the Domain Admins or Local Administrators.  Best practice is to limit members of this group, or even leave it blank, only creating users when needed then deleting them.

Schema Admins

This group is needed when you extend the Schema as you install Exchange. Members of this group could cause havoc if they carelessly or recklessly experimented with he schema for no good business reason.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

If you like this page then please share it with your friends


Related topics

Accounts   • Auditing  • IPSec  • Kerberos Tickets  • Windows RIS Server

LT2P and Certificates   • Security Snap-in  • Remote Shutdown