Worried about security
issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
The Active Directory (AD) structure and the data contained
in that structure are the keys to a Windows domain. If you don’t implement proper
security and delegation on AD, you could mistakenly grant your users more
privileges and rights than they actually need.
And when it comes to mistakes, the AD structure isn’t very
forgiving. Putting the wrong privileges in the wrong hands could lead to a
complete rebuild of your domain. That’s why it’s important to take three simple
steps to better protect your AD implementation—plan, delegate, and audit.
Map out your company’s departmental structure. Then, use
this diagram to create your own organizational units (OUs), and give them names
that are meaningful to your company.
The reason for this is two-fold. By designing and naming
your own OUs, you’ll create a logical place for all of your users, all of your user
groups, and all of your hardware. This simplifies management of these items
through the Group Policy Editor, making administration of your domain a lot
In addition, creating your own OUs allows you to design your
own security policy for the different OU types. This is important because the
default permissions on the OUs built into AD aren’t as restrictive as they
Administering an AD domain is a big job, and the same person
or the same account shouldn’t be responsible for everything. Too many
privileges tied to one account spell disaster: If an intruder compromises that
account or the person holding that account leaves (or becomes disgruntled),
your entire domain would be at risk.
Instead, your AD implementation should include two types of
administrators: data administrators and service administrators. This helps spread
out the responsibility, boosting security in the process.
These admins are responsible for maintaining the information stored in AD. This
has nothing to do with files and folders; these administrators are in charge of
user accounts, computer accounts, group accounts, and so on. A data
administrator is similar to the Account Operators group of an NT domain.
Because AD requires control over all computers, it’s
essential that any computer connected to your internal network is part of the
domain. Otherwise, you have a computer inside your security boundary that you
have no control over.
When creating accounts and groups for data administrators,
assign only those rights and privileges necessary to administer the OUs within
their control. In addition, make sure these accounts don’t have privileges to
browse the Internet or read e-mail.
In addition, don’t allow data administrators to create
accounts for other data administrators; service administrators should be
responsible for this. These steps plug a tremendous security hole and force the
account holders to perform only their assigned functions when using the
These admins are responsible for the day-to-day, behind-the-scenes tasks of
managing and maintaining the domain. They’re also responsible for managing all
of the different services the domain offers to its users. This includes the domain
name system (DNS); availability of the global catalog (GC) servers; replication
of data through distributed file system (DFS); your company’s domain controllers
(DCs) and different sites within your forest; trust relationships with other
domains; and, most important, the AD schema.
The service administrator role is quite powerful, and you
should reserve this position for the most experienced and knowledgeable members
of your team. Keep in mind that while these administrators have more privileges
than the data administrators, their actions are also under more scrutiny.
No AD implementation would be complete without the auditing
of objects and events. It’s an important part of the process—and not only as a
measure of determining the successful security of your domain.
In addition, auditing is the main method of checks and
balances between the two types of administrators. Auditing is your primary
means for determining when security changes have occurred and who made them.
Microsoft has gone a long way toward increasing AD’s security.
But the problem is that most people fail to properly plan out their
installation and end up spending too much time fixing mistakes they shouldn’t
have made in the first place. Remember: Plan, delegate, and audit.
Mike Mullins has
served as a database administrator and assistant network administrator for the
U.S. Secret Service. He is a network security administrator for the Defense
Information Systems Agency.