Posts

Active Directory and its uses

Gavin Livingstone, Bryley Systems Inc.

Microsoft’s Active Directory (AD) is not well known, but it is a critical component in securing Windows Server-based networks.

Active Directory, introduced with Windows Server 2000, is included with most versions of Windows Server, but is also available as a service1.  Its primary function is to facilitate authentication and authorization of users (members) and resources within an AD domain.  (An AD domain is a logical collection of users, computers, groups, and other objects; multiple domains can be created for different sites or groups, and trust relationships can be established between these domains.)

One of AD’s greatest strengths is to permit the centralized creation of user and group-based policies; it can then enforce these policies, ensuring that members comply with login and usage requirements.  Plus, it logs policy violations and login attempts, supporting the automation of error-log-checking solutions.

Basic AD services include:

  • Domain Services (AD DS) – Stores and verifies member credentials
  • Lightweight Directory Services (AD LDS) – A limited-feature version of AD DS
  • Certificate Services (AD CS) – Public-key certificates supporting encryption
  • Federation Services (AD FS) – Single sign-on functionality; AD and non-AD
  • Rights Management Services (AD RMS) – Management of access rights

Single instances of AD DS run on a server; once AD DS is deployed, this server is known as a domain controller (DC).  Most Windows Server-based networks have two or more domain controllers; a primary DC and secondary DC(s) to provide failover directory (via replication) and location-based access to the directory.

During login, users authenticate to the primary DC or to a secondary DC.

Active Directory is managed through a series of tools; most are included within Windows Server, but third-party tools2 exist that provide better control and automation, particularly for larger organizations managing complex environments.

Best practices for AD design include3:

  • Build a logical structure based on a hierarchical, tree-like approach:
    • Forests – Top-level container (not always used)
    • Domains – Second-level containers within forests
    • Organizational units – Third-level containers within domains
  • Construct a physical model to address location requirements/constraints:
    • Place at least one domain controller (preferably two) at each site
    • Determine placement of replicas of domain data
    • Describe network topology
    • Consider traffic limitations

AD design tips4 include:

  • Keep it simple
  • Match site topology to network topology
  • Ensure you have at least two DNS servers
  • Try to dedicate a server as a domain controller

Security best practices for AD include5:

  • Rename or disable the Administrator account
  • Physically secure domain controllers and servers
  • Apply Group Policy settings to restrict users, group, and computer access

Basically, Active Directory forms the heart of any Windows Server-based network; it is a critical component, even when using Cloud-based resources.  (Cloud-based resources can often be integrated within AD through Federated Services.)

References

1Active Directory as a service is available through Microsoft’s Azure Active Directory, Bryley Systems’ Hosted Cloud Server™, and other providers.

210 Must-Have Active Directory Tools by Walker Rowe of Anturis, 4/14/15.

3Best Practice Active Directory Design for Managing Windows Networks and Best Practice Active Directory Deployment for Managing Windows Networks from the Microsoft Developer Network.  (These are dated, but extremely detailed.)

410 Tips for effective Active Directory design by Brien Posey of TechRepublic, 8/23/2010.

5Active Directory Best Practices at Microsoft TechNet on 1/21/2005.

Recommended practices – Part-7: Resource management via Active Directory

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

Active Directory is an integral component of Microsoft Windows Server; it is a powerful utility to manage both end-users and shared resources on a network.

It can scale to match the needs of any organization, from small to Enterprise size.

User management via Active Directory was discussed in January 2015 Bryley Tips and Information at http://www.Bryley.com/Bryley-Tips-Information-January-2015/. Resource management is reviewed below.

Resources (servers, computers, folders, printers, scanners, etc.) should be located strategically to provide capabilities where needed.  They can be setup to support either groups of computers (IE:  all counter-based PCs in a retail store) or groups of users (IE:  all tellers at a specific branch office of a bank).

Resources are published within Active Directory to assign access.  For example, these are the basic steps to publish a new printer for a group of computers:

  • Create a new Group Policy within the appropriate Container*
  • Select the desired Computer Configuration settings
  • Setup Location Tracking (as needed)

*Active Directory uses Containers to provide segmentation and organizational structure; Containers are usually Forest, Tree, Sites, Organizational Units, orDomains.

If you prefer to setup access for a group of users rather than a group of computers, you would select User Configuration rather than Computer Configuration when publishing a resource.

Once published, resources within Active Directory need periodic attention to adjust access as needs change and to remove decommissioned resources.

Active Directory has a well-established set of best practices; these can be enforced through the Active Directory Best Practices Analyzer, which identifies and reports deviations from best practices.

William R. Stanek provides an overview on Active Directory features and capabilities in his article Using Active Directory Service from Chapter 5 of theMicrosoft Windows 2000 Administrator’s Pocket Consultant.

Recommended practices – Part-6: Manage end-users via Active Directory

This is a multi-part series on recommended IT practices for organizations and their end-users. Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege. And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships: Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior. (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-usera

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege.  And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships:  Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior.  (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-users include:

  • Enforce password use and complexity
  • Require periodic password changes
  • Lock screen after time-out
  • Restrict access
  • Grouping

Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important:  A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed.  (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft.  (We require password changes every 90 days.)  When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk.  To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week.  However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

  • Read – Allow access to a file
  • Change – Permit adding, modifying, and removing a file
  • Full Control – Change permissions settings in a file
  • Deny – Override all other access settings to prevent access

Read, Change, and Full Control work on a “most permissive” basis.  For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access.  Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set.  (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.

s include:

Enforce password use and complexity
Require periodic password changes
Lock screen after time-out
Restrict access
Grouping
Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important: A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed. (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft. (We require password changes every 90 days.) When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk. To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week. However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

Read – Allow access to a file
Change – Permit adding, modifying, and removing a file
Full Control – Change permissions settings in a file
Deny – Override all other access settings to prevent access
Read, Change, and Full Control work on a “most permissive” basis. For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access. Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set. (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.