Professional Documents
Culture Documents
Security Planning and Administrative Delegation
Security Planning and Administrative Delegation
Administrative Delegation
Lesson 6
Skills Matrix
Technology Skill
Objective Domain
Objective #
Creating an OU Structure
4.2
Naming Standard
User logon names will typically follow a
corporate naming standard set forth
during the planning stages of an Active
Directory deployment.
You will usually create a naming
standards document to outline the rules
for naming all Active Directory objects.
This document will specify conventions
such as the number and type of
characters to use when creating a new
object in Active Directory.
Strong Passwords
Since user names are often easily
guessed, it is essential to have strong
passwords:
At least eight characters in length.
Contains uppercase and lowercase letters,
numbers, and non-alphabetic characters.
At least one character from each of the
previous character types.
Differs significantly from other previously
used passwords.
Strong Passwords
A strong password should not be left
blank or contain any of the following
information:
Your user name, real name, or
company name.
A complete dictionary word.
Windows passwords for Windows Server
2008, Windows Vista, Windows Server
2003 and Microsoft Windows XP clients
can be up to 127 characters in length.
Strong Passwords
Authentication
Authentication is the process of proving
who you are.
There are multiple methods of
authentication:
What you know (password or PIN).
Who you are (retinal scan or thumb
print).
What you have (smart card).
Smart Card
Smart cards are cards about the size of a
credit card.
Login information can be stored on the
smart card, making it difficult for anyone
except the intended user to use or access
it.
Security operations, such as
cryptographic functions, are performed on
the smart card itself rather than on the
network server or local computer. This
provides a higher level of security for
sensitive transactions.
Administrative Accounts
You should not use an account possessing
administrative privileges for daily tasks, such as
browsing the Web or monitoring email.
Administrative accounts should be reserved for
tasks that require administrator privileges.
Using the Administrator account or an account that
is a member of Domain Admins, Enterprise
Admins, or Schema Admins for daily tasks offers an
opportunity for hackers to attack your network and
potentially cause severe and irreversible damage.
Limiting the use of the Administrator account for
daily tasks, such as email, application use, and
access to the Internet, reduces the potential for
this type of damage.
Organizational Units
Can be created to represent your
companys functional or geographical
model.
Can be used to delegate
administrative control over a
containers resources to lower-level or
branch office administrators.
Can be used to apply consistent
configuration to client computers,
users and member servers.
Delegation of Control
Creating OUs to support a decentralized
administration model gives you the
ability to allow others to manage portions
of your Active Directory structure,
without affecting the rest of the
structure.
Delegating authority at a site level affects
all domains and users within the site.
Delegating authority at a domain level
affects the entire domain.
Delegating authority at the OU level
affects only that OU and its hierarchy.
Delegation of Control
Using the Delegation of Control
Wizard, you utilize a simple interface to
delegate permissions for domains, OUs, or
containers.
The interface allows you to specify to which
users or groups you want to delegate
management permissions and the specific
tasks you wish them to be able to perform.
You can delegate predefined tasks, or you
can create custom tasks that allow you to
be more specific.
Summary
Creating a naming standards document
will assist in planning a consistent
Active Directory environment that is
easier to manage.
Securing user accounts includes
educating users to the risks of attacks,
implementing a strong password policy,
and possibly introducing a smart card
infrastructure into your environment.
Summary
As part of creating a secure environment,
you should create standard user accounts
for administrators and direct them to use
Run as administrator or runas when
performing administrative tasks.
When planning your OU structure, consider
the business function, organizational
structure, and administrative goals for
your network.
Delegation of administrative tasks should
be a consideration in your plan.
Summary
Administrative tasks can be
delegated for a domain, OU, or
container to achieve a decentralized
management structure.
Permissions can be delegated using
the Delegation of Control Wizard.
Verification or removal of these
permissions must be achieved through
the Security tab in the Properties
dialog box of the affected container.
Summary
Moving objects between containers
and OUs within a domain can be
achieved by using the Move menu
command, the drag-and-drop feature
in Active Directory Users and
Computers, or the dsmove utility
from a command line.