Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
The Active Directory (AD) structure and the data contained in that structure are the keys to a Windows domain. If you don't implement proper security and delegation on AD, you could mistakenly grant your users more privileges and rights than they actually need.
And when it comes to mistakes, the AD structure isn't very forgiving. Putting the wrong privileges in the wrong hands could lead to a complete rebuild of your domain. That's why it's important to take three simple steps to better protect your AD implementation—plan, delegate, and audit.
Map out your company's departmental structure. Then, use this diagram to create your own organizational units (OUs), and give them names that are meaningful to your company.
The reason for this is two-fold. By designing and naming your own OUs, you'll create a logical place for all of your users, all of your user groups, and all of your hardware. This simplifies management of these items through the Group Policy Editor, making administration of your domain a lot easier.
In addition, creating your own OUs allows you to design your own security policy for the different OU types. This is important because the default permissions on the OUs built into AD aren't as restrictive as they should be.
Administering an AD domain is a big job, and the same person or the same account shouldn't be responsible for everything. Too many privileges tied to one account spell disaster: If an intruder compromises that account or the person holding that account leaves (or becomes disgruntled), your entire domain would be at risk.
Instead, your AD implementation should include two types of administrators: data administrators and service administrators. This helps spread out the responsibility, boosting security in the process.
These admins are responsible for maintaining the information stored in AD. This has nothing to do with files and folders; these administrators are in charge of user accounts, computer accounts, group accounts, and so on. A data administrator is similar to the Account Operators group of an NT domain.
Because AD requires control over all computers, it's essential that any computer connected to your internal network is part of the domain. Otherwise, you have a computer inside your security boundary that you have no control over.
When creating accounts and groups for data administrators, assign only those rights and privileges necessary to administer the OUs within their control. In addition, make sure these accounts don't have privileges to browse the Internet or read e-mail.
In addition, don't allow data administrators to create accounts for other data administrators; service administrators should be responsible for this. These steps plug a tremendous security hole and force the account holders to perform only their assigned functions when using the account.
These admins are responsible for the day-to-day, behind-the-scenes tasks of managing and maintaining the domain. They're also responsible for managing all of the different services the domain offers to its users. This includes the domain name system (DNS); availability of the global catalog (GC) servers; replication of data through distributed file system (DFS); your company's domain controllers (DCs) and different sites within your forest; trust relationships with other domains; and, most important, the AD schema.
The service administrator role is quite powerful, and you should reserve this position for the most experienced and knowledgeable members of your team. Keep in mind that while these administrators have more privileges than the data administrators, their actions are also under more scrutiny.
No AD implementation would be complete without the auditing of objects and events. It's an important part of the process—and not only as a measure of determining the successful security of your domain.
In addition, auditing is the main method of checks and balances between the two types of administrators. Auditing is your primary means for determining when security changes have occurred and who made them.
Microsoft has gone a long way toward increasing AD's security. But the problem is that most people fail to properly plan out their installation and end up spending too much time fixing mistakes they shouldn't have made in the first place. Remember: Plan, delegate, and audit.
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a network security administrator for the Defense Information Systems Agency.