Windows

Beef up Active Directory security with these three steps


The Active Directory (AD) structure and the data contained in that structure are the keys to a Windows domain, and it's vital that you implement the proper security and delegation. Here are three simple steps you can take to boost AD's security.

The Active Directory (AD) structure and the data contained in that structure are the keys to a Windows domain. If you don't implement proper security and delegation on AD, you could mistakenly grant your users more privileges and rights than they actually need.

When it comes to mistakes, the AD structure isn't very forgiving. Putting the wrong privileges in the wrong hands could lead to a complete rebuild of your domain. That's why it's important to take three simple steps to better protect your AD implementation -- plan, delegate, and audit.

Plan

Map out your company's departmental structure. Then, use this diagram to create your own organizational units (OUs), and give them names that are meaningful to your company.

The reason for this is two-fold. By designing and naming your own OUs, you'll create a logical place for all of your users, all of your user groups, and all of your hardware. This simplifies management of these items through the Group Policy Editor, making administration of your domain a lot easier.

In addition, creating your own OUs allows you to design your own security policy for the different OU types. This is important because the default permissions on the OUs built into AD aren't as restrictive as they should be.

Delegate

Administering an AD domain is a big job, and the same person or the same account shouldn't be responsible for everything. Too many privileges tied to one account spell disaster: If an intruder compromises that account or the person holding that account leaves (or becomes disgruntled), your entire domain would be at risk.

Instead, your AD implementation should include two types of administrators: data administrators and service administrators. This helps spread out the responsibility, boosting security in the process.

Data administrators

These admins are responsible for maintaining the information stored in AD. This has nothing to do with files and folders; these administrators are in charge of user accounts, computer accounts, group accounts, and so on. A data administrator is similar to the Account Operators group of an NT domain.

Because AD requires control over all computers, it's essential that any computer connected to your internal network is part of the domain. Otherwise, you have a computer inside your security boundary that you have no control over.

When creating accounts and groups for data administrators, assign only those rights and privileges necessary to administer the OUs within their control. In addition, make sure these accounts don't have privileges to browse the Internet or read e-mail.

In addition, don't allow data administrators to create accounts for other data administrators; service administrators should be responsible for this. These steps plug a tremendous security hole and force the account holders to perform only their assigned functions when using the account.

Service administrators

These admins are responsible for the day-to-day, behind-the-scenes tasks of managing and maintaining the domain. They're also responsible for managing all of the different services the domain offers to its users. This includes the domain name system (DNS); availability of the global catalog (GC) servers; replication of data through distributed file system (DFS); your company's domain controllers (DCs) and different sites within your forest; trust relationships with other domains; and, most important, the AD schema.

The service administrator role is quite powerful, and you should reserve this position for the most experienced and knowledgeable members of your team. Keep in mind that while these administrators have more privileges than the data administrators, their actions are also under more scrutiny.

Audit

No AD implementation would be complete without the auditing of objects and events. It's an important part of the process -- and not only as a measure of determining the successful security of your domain.

In addition, auditing is the main method of checks and balances between the two types of administrators. Auditing is your primary means for determining when security changes have occurred and who made them.

Final thoughts

Microsoft has gone a long way toward increasing AD's security. But the problem is that most people fail to properly plan out their installation and end up spending too much time fixing mistakes they shouldn't have made in the first place. Remember: Plan, delegate, and audit.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

1 comments
JonathanCraig
JonathanCraig

Mike, First of all, thanks for writing such an effective article in such a simple fashion - very nice job! You have so rightly said that "Putting the wrong privileges in the wrong hands could lead to a complete rebuild of your domain. That???s why it???s important to take three simple steps to better protect your AD implementation ??? plan, delegate, and audit" My question is that when you mention "audit", I think you're referring to audit"ing" and opposed performing an audit of who delegated powers in Active Directory. While audit"ing" is clearly important, I think it is also super-important to be able to audit delegated access in Active Directory. We have been looking for ways to do this for a while now, so I thought I would ask you if you can help us find out how to audit (not the one in audit"ing") delegated access in Active Directory. The best resource, I have found thusfar is a discussion on "How to find out who is delegated what access in our Active Directory?" on a community forum called "www.ActiveDirSec.Org" As a Tech Replubic specialist, I look forward to your thoughts on this question. Thanks Mike! - Jonathan

Editor's Picks