This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This assignment is a brief overview of some of the features in Active Directory Server 2008, it includes the main components within a forest and then covers recommendations for Active Directory concentrating on security. This covers group settings, policies and rules to create an effective Active Directory environment.
Active Directory domain services in Server 2008
Active Directory is a centralised system that provides authentication and authorisation for users, computers, resources and the applications they use. It is controlled at the administrator level whether that be as an individual administrator in a small network or a group of administrators in a larger organisation, it can be used in a small network or in theory can be scaled to hold 4,294,967,041 separate objects. Active Directory (AD) provides a single point that administrators can control resources from. Resources being files, applications, users and any associated system resource this shows (AD) to be well managed and eminently scalable.
It is a database or directory service used to manage and store information concerning network resources, used to organise the network and allocate resources throughout the network. The network is divided into areas with specific components starting with a forest and subsequent domain.
A container is any device that contains more than one object, a forest is the largest container,
unlike a leaf object which does not contain other objects. The forest is the security boundary of a network environment, so a user can access resources throughout an entire forest with one single logon. You can have more than one forest as in larger organisations but a user would require an additional logon.
The next smallest part of Active Directory is the domain and this is really where Active Directory comes into its own, a server 2008 computer configured with Active Directory domain services role is referred to as a domain controller. The domain controller stores the Active Directory database and therefore controls authentication of users and maintains the database information.
The domain controller also replicates all of the information stored in its database file to other domain controllers synchronising any changes within the network to all the other controllers, the file that contains the information is the ntds.dit file. This file is used by the administrator and can be updated from any controller keeping the database consistent across all domains, any update carried out on any controller in (AD) can be replicated throughout it is referred to as a multimaster system (multiple controllers for one master database).
Any change carried out on one controller say adding a new user account the controller will update the ntds.dit database and will then be replicated to the other domain controllers this can be replicated immediately through forced replication, through the GUI or with the command prompt" gpupdate "command. Replication also occurs at a set time a default time of 180 minutes or can be set by the administrator to as little as 15 minutes. This is between sites known as intersite or much quicker replication intrasite within a site.
The forest is the main part of the active directory hierarchy followed by the domain as the trees, the branches are then described as the Organisational units(OU), these can have other organisational units within them this is known as nesting, and one group can be nested with another, two eggs in one nest. The individual objects within the (OU) container are the objects or to finish off our forest they are the leaves on the (OU) branches.
Organisational units can be set to reflect the structure within your company you could have two separate (OUs) One for marketing and one for Accounts, you can assign different policies for each (OU) putting a structure in place that will reflect each departments needs. This allows you to design your Active Directory network to suit the requirements of both departments and tailor them to their group needs.
Groups and security
Groups are used to make control of Active Directory more manageable, (OUs) already mentioned allocate grouping of resources that have similar needs. Groups are used to make network permissions easy for the administrator to control. The administrator can assign permissions to many users simultaneously, assigning network resources and associated permissions.
The administrator can assign permissions to different groups these are known as security groups, these groups allow multiple users access to resources. Two of the main groups are:
Domain local groups - used to assign permissions to resources in the same domain as the domain local group.
Global groups - used to allow or deny permissions to any resource in any domain.
Recommendations and Security
To prevent attacks to the administrator account it is advisable to change the name of this account as administrator accounts can be targeted in attacks. Also when setting passwords make them difficult and limit the amount of people that know the password.
All the accounts should be set with strong passwords and should be changed on a regular basis to help with security. When creating accounts the administrator can make sure the user has to log on with a strong password and can also determine how often the password has to be changed.
The type of security you use is down to what is required for your network. Active directory supports AES encryption giving the highest level of encryption available., e.g. If you were to use a DES key for security and a key could be cracked in 1 second it would take the equivalent of 149 trillion years to crack a 128 bit key and Active directory can support both 128 and 256 bit.
Users can be placed into groups allowing the administrator to assign permissions to the individual user within a group standardising and giving the user in each group the same privileges and access. This can also be used to limit access to more sensitive information with fewer users having access to this information.
There are two groups used in Active Directory the first is distribution, this is not security related and is used for information distribution, and the earlier mentioned security group giving users access to resources.
Groups also have scopes this controls the objects contained within the group. If you have certain users that need access to a resource for example a book on Active Directory, the users can be grouped together in a security group named Active Directory. The administrator creates the group and then assigns the group access to the resource (book). The scope controls the objects that the group have access to. This can be contained to a local group, within a domain, across different domains, or universally spanning the entire forest. This allows control of users and computers alike and the resources available to them, by limiting access your system remains secure.
Users and groups can be created in Active Directory Users and Computers, this is my preferred way they can also be created using command prompt using the "dsadd" user syntax. If you are more comfortable using the command prompt utility this is available but typing everything can take longer.
Group policies do not apply only to groups they can be linked to sites, organisational units (OU) and domains which in turn apply these settings to the users and computers within them.
Group policy allows you to control and choose the settings and features you wish to use, you can also use security group filtering where you can apply group policy permissions to individuals or groups. Group policy objects (GPOs) contain the group policy settings for users and computers in a site, (OU) or domain, administrators and users can have different GPOs to control their access levels.
They have two settings created by default user and computer configuration (by default all of the objects within a GPO container are affected by the GPOs settings). They are divided into further nodes which can be used for software, windows and administrator templates all of which give control of policies and settings within the network, another good secure feature.
Group policy is controlled in a hierarchy from 1-4:
1. Local policies
2. Site policies
3. Domain policies
4. OU policies
You can use any of the four policies but if you create an OU policy setting that is covered in a site policy the OU policy will override any settings that conflict with the site policy, I just wanted to highlight this so that when planning security in group policy you are aware that if you suddenly cannot work out why a policy is no longer working anything with a higher number in the hierarchy will take precedence.
Similarly computer policy settings override user policy settings.
Most security settings are in the Windows settings folder under the policies node (see screen shot above).
Settings and Policies
Security settings are used to control how users are authenticated, the resources they are allowed access to and their respective group membership policies.
Another area covered by GPOs are account policies, these cover three policies:
1. Password policies you can set maximum password and minimum password ages before they have to be replaced with a new password, whether to use encryption and the complexity of the password. The use of fine grained password policies which allow multiple policies in a single domain.
2. Account lockout policies stating the time to lockout the account, if an administrator needs to be contacted or the amount of attempts a user is allowed to log on.
3. Kerberos policies this is a ticket based policy and if the time on the computers is not synchronised to within 5 minutes it will not let a user log on. The ticket can have time limits placed on it so the user can only have access as determined by the policy.
In addition events can be logged through audit policy allowing the administrator to track, monitor and effectively manage events happening on computers, this will help to identify possible problem areas within the network.
Restricting groups and members can also be controlled you will give certain individuals access to administrator tasks to carry out area specific tasks. Another restricted area you can control is the restricted use of software, providing you with greater control over potential harmful software applications. All administrators are aware of the effect from a virus or a worm entering the system and while your network will already have firewalls, anti-virus and a host of other protections for your system being able to restrict software that is allowed to run will help limit possible attacks.
There are three categories for restriction policies and they are as follows:
Unrestricted all applications are allowed to run apart from those specifically excluded.
Disallowed stops all applications from running except those that are specifically allowed.
Basic User prevents any application from running without administrative rights, but allows all applications that a normal user can run.
When a new software restriction policy is created the additional rules subfolder is highlighted (see screen shot below).
Within this folder you can create a profile allowing or denying which applications will be allowed to run.
There are four rules which are used in software restrictions
1. Hash rule is a series of bytes to identify a program or file the use of a hash algorithm making a unique copy compared to a fingerprint of the file. If the hash is changed in anyway the file is not allowed, so if a virus is attached to a file your system is still safe.
2. Certificate rule this allows software through from a trusted source using the signing certificate of an application.
3. Network zone rule this allows Window installer packages to allow installation if they come from a trusted area of the network.
4. Path rules this follows the path back to where the application is and only allows files from the identified path, it can be a problem if the file is moved and the path changes. This can be overcome by the use of a registry key; the registry key updates the path automatically preventing any problem.
When a conflict occurs between the rule types the lower the number (using 1-4) gains precedence over the higher number, and if two rules are the same the one that has more restrictions will be applied, e.g. disallowed would be used over unrestricted.
Certain groups, users and computers can be excluded by using security group filtering, this can be used to prevent users access to control panel applications or the command prompt utility.
After setting up any group policies you can use the Resultant set of Policy wizard this allows administrators to view the effects the policy changes will have before they are implemented on users and computers, this is the planning mode. A further use is the logging mode which provides a report on the existing policies in the network. Having set up all the relevant GPOs it is good practice to use the RSOP to check the effects on the network
To create a secure environment for users to communicate Active directory certificate services. Certificate services use a public key infrastructure (PKI). The purpose of the (PKI) is to ensure you are dealing with who you think you are dealing with and not someone impersonating an actual site such as phishing scams so you give out your details to the correct and secure site.
A (PKI) uses a public key for each user and computer, they in turn have a private key that contains information only known to them, this provides the secure link between the two parties.
I found the following chart helpful for explaining the new features of (AD) this shows the new features with two side bars giving additional information.
I found this to be a good resource to give an initial overview of the features, it would take a complete research paper to cover everything in active directory this breaks it into six sections, with explanations and features listed down either side, describing acronyms and a legend on the other.
The six sections cover group policy, active directory management, Read only domain controllers, lightweight directory services, federation services and rights management services.
These cover areas in security such as who can open, modify or forward in word or spreadsheets (Rights management services). You can zoom in for a clearer view.
A complete explanation of groups and scopes are available from the Microsoft website and fully detailed in the server 2008 Active Directory Configuration book Lesson 5.
Active Directory has many built-in security groups which are created by default when installed, in excess of 35 and if you wish to view these they are listed between pages 106-111 in server 2008 Active Directory Configuration.
Server 2008 Conclusions
While reading through the many articles on Active directory one of the points I picked up was that any network design for active directory would depend on the needs of the network you are using and protecting. There is no one way to design and implement a network, each network will have to be designed based on the individual requirements of the network. Networks take weeks of planning depending on the size and requirements, without proper planning it could either fail or prove complicated to implement and manage, so time spent planning in the beginning is time well spent.
The one thing with Active Directory which is its overall strength but in contrast is also the most vulnerable aspect is that an administrator or group, depending on the size of the network is solely responsible for security, smooth running and implementations across the network. If the administrator makes an error or is not trustworthy Active Directory is rendered useless or unworkable yet there is no mention of this as an area of weakness or exploitation, there are many references to access from outside as a potential problem area when inside is where the maximum damage would come from. An entire system by one accident could be replicated across a whole network and although (S 2008 AD) is seen as an effective and secure system similar to other systems it has no overall safeguards against this. It can be argued that accidental deletion has been overcome but only with the protect objects from accidental deletion check box (see screen shot below). This still relies on the right box having a tick in it or not being accidentally having the tick removed.
I can see the merits of automatic replication available in Active Directory but also recognise the possible pitfalls, if an error is made it can be replicated throughout, when deploying changes it is an issue to be aware of.
The consideration for your network with groups and security is to have a system where the users and resources are effectively deployed to make your network operate efficiently whilst controlling access, this will help to prevent excess traffic within the system and give everyone the resources available to perform their roles effectively without compromising the network. When planning this part of the network as with any other keep in mind how flexible your system is if you need to change permissions or add and delete new groups or users. A good system should be able to adapt easily to change.
Policies can be used to restrict and allow access to users and groups alike covering software, encryption, file use and access .not to mention wireless authentication and which other resources to disable or start up automatically when your computer starts. I am not saying you can control everything but with this level of control available, the administrator can control and secure the network as they wish a real plus for a secure network.