Docstoc

Active Directory Overview

Document Sample
Active Directory Overview Powered By Docstoc
					     NSA Guide to Securing Microsoft
      Windows 2000 Active Directory
                 Ch 1-5

                    October 23, 2002
                           Bryan Carter
                           Buddy Carter
                           Ryan Blanton


November 14, 2012   University of Tulsa - Center for Information Security
• Ch. 1: Active Directory Overview
• Ch. 2: Domain Name System
• Ch. 3: Active Directory Installation
• Ch. 4: Domains and Organizational
  Units
• Ch. 5: Trees and Forests
November 14, 2012   University of Tulsa - Center for Information Security
                    Chapter 1:
              Active Directory
                  Overview

November 14, 2012    University of Tulsa - Center for Information Security
                    Active Directory Overview

•Discusses approach of Active
 Directory Mini-guide
•Provides some Topology
 considerations


November 14, 2012     University of Tulsa - Center for Information Security
                    Active Directory Overview

• Simple Definition: Hierarchical namespace of
  objects that is tightly integrated with the
  Domain Name System (DNS)
• AD is the directory service used for Windows
  2000 domain controllers
• AD uses DNS naming for its domains




November 14, 2012     University of Tulsa - Center for Information Security
                    Active Directory Overview

• Dependent upon DNS to act as a locator
  service
• Includes:
    - Information source
    - Services making information available to
      users
• Holds information on objects stored in
  underlying domains, trees, and forests
• Provides security mechanisms against
  unauthorized access of directory objects
November 14, 2012     University of Tulsa - Center for Information Security
                    Active Directory Overview

• Guide is intended to highlight AD security
  capabilities and issues
• Provides security configuration guidance and
  recommendations
• Intended to provide tools to improve security
  configurations
• Does not include specific design or
  integration policies
    - for these issues, see the NSA Guide to
             Securing Windows 2000

November 14, 2012     University of Tulsa - Center for Information Security
                    Active Directory Overview

• Different approach than other guides
• Recommendations are somewhat more
  flexible
• Does not provide discrete settings that
  implement a predicable security
  configuration outcome
• Intended to inform and aid
  administrators in arriving at their own
  policy implementations
November 14, 2012     University of Tulsa - Center for Information Security
                    Chapter 2:
                    Domain Name
                      System

November 14, 2012     University of Tulsa - Center for Information Security
                                   DNS Outline

• Overview
• Active Directory Integrated Zones
• Active Directory DNS Interface
• Chapter Security Summary




November 14, 2012   University of Tulsa - Center for Information Security
                               DNS-Overview

• Provides:
     - guidance about the Domain Name
     System (DNS) as it relates to Active
     Directory
     - information about Active Directory DNS
     security functionality
• Bugs and incompatibilities are pointed out



November 14, 2012   University of Tulsa - Center for Information Security
                               DNS-Overview

•  AD uses DNS for:
          1. Name Resolution
          2. Locating Services
          3. Establishing the domain
             namespace for AD hierarchy
• DNS should be the first concept designed
  since DNS affects the design of the
  organizational layout (including forests,
  trees, domains, and sites)
November 14, 2012   University of Tulsa - Center for Information Security
                               DNS-Overview

• DNS design should not be taken lightly
  because AD does not currently allow the
  naming convention to be changed without
  completely reinstalling AD for all affected
  domains
• Any additional DNS guidance not pertaining
  to AD can be found in the Guide to Securing
      Windows 2000 DNS


November 14, 2012   University of Tulsa - Center for Information Security
                    Active Directory Integrated
                               Zones
• Overview
• DNS server properties tab
• Dynamic Zone Updates




November 14, 2012     University of Tulsa - Center for Information Security
                     AD Integrated Zones

• When DNS is integrated into AD, the DNS zone
  benefits from AD’s native multi-master replication
      - An update is received for a zone by any domain
        controller
      - The DC writes update to AD, which is then
        replicated to all other DCs installed with DNS
      - Any DNS server, which is also a DNS server
      with that AD integrated zone anywhere in the
      network, will receive the updated information
• Active Directory integrated zones allow access control
  over who can update DNS and provide better
  replication and fault tolerance capability

November 14, 2012   University of Tulsa - Center for Information Security
                     AD Integrated Zones

• Using AD integrated zones, the DNS server
  properties interface can be used to manage
  Access Control Lists (ACLs)
     - ACL: list for which groups and users can
     access and modify a specified zone or
     resource record
• This can be done using the DNS server
  properties tab


November 14, 2012   University of Tulsa - Center for Information Security
                      AD Integrated Zones-
                    DNS Server Properties Tab




November 14, 2012     University of Tulsa - Center for Information Security
                      AD Integrated Zones-
                    DNS Server Properties Tab
• Can be used to:
     - link users and designated DNS
     administrators groups
     - configure permissions
• Groups and users can then be placed into a
  designated Organizational Unit (OU) or other
  container so that the appropriate Group Policy
  Object (GPO) can be applied.


November 14, 2012     University of Tulsa - Center for Information Security
                     AD Integrated Zones-
                    Dynamic Zone Updates
• Updates are used within the AD replication
  scheme
• Avoids the traditional DNS master server
  from becoming a single point of failure
• Zones are replicated and synchronized to new
  domain controllers automatically when a new
  zone is added to an AD domain




November 14, 2012   University of Tulsa - Center for Information Security
                    Active Directory DNS
                          Interface
• Active Directory DNS interface allows:
      - administrators to specify the servers
      allowed to participate in zone transfers
      - logging and monitoring of certain events
• Captured DNS audit events are viewable from
  the “DNS Server” log in the Event Viewer
• Enabling only secure DNS updates at a server
  causes all updates to the particular server to
  be encrypted during transmission over the
  network
November 14, 2012   University of Tulsa - Center for Information Security
                    Static Service Locations

• Overview
  – Problem
  – Solution




November 14, 2012    University of Tulsa - Center for Information Security
                    Static Service Locations

• Instead of using dynamic service location, AD
  uses static service locations
• Problem:
   – When service records remain in the DNS
     after a service has been removed or become
     unstable, servers and clients will continue
     to believe that the service is still available




November 14, 2012    University of Tulsa - Center for Information Security
                    Static Service Locations

• Solution:
   – Microsoft provides a proprietary
     aging/scavenging solution that makes use of
     previously unused DNS extension
   – This allows servers to age out and remove
     old DNS service records (default is 7 days)
   – This presents another problem: services will
     appear available to servers and clients until
     they have been scavenged (this may also
     affect locating new services)

November 14, 2012    University of Tulsa - Center for Information Security
                    Static Service Locations

• Another problem is that non-Windows 2000
  DNS servers do not have ability to age or
  scavenge old service records
• This issue must be considered when deciding
  if or how to implement DNS in a non-Windows
  2000 DNS server or mixed DNS server
  environment




November 14, 2012    University of Tulsa - Center for Information Security
                    Chapter Security Summary

•Recommendations
•Good Practices




November 14, 2012     University of Tulsa - Center for Information Security
                    Chapter Security Summary:
                        Recommendations
• Implement Active Directory integrated zones
• Use or create Active Directory DNS administrators
  groups and users to manage DNS
• Link only the designated DNS administrators groups
  and users and configure permissions through the DNS
  server properties security tab
• Place the DNS administrators groups and users into a
  designated OU and apply the appropriate Group
  Policy
• See the Guide to Securing Windows 2000 DNS



November 14, 2012     University of Tulsa - Center for Information Security
                    Chapter Security Summary:
                         Good Practices
• Configure support for dynamic updates and
  incremental zone transfer
• Enable secure dynamic updates for this zone
• Routinely check currency of service records and
  manually scavenge as needed
• Make use of the Windows 2000 DNS installation
  wizard when creating zones
• Become familiar with and test issues regarding
  interoperating with non-Windows 2000 DNS servers,
  such as service record aging and scavenging, and
  version stability

November 14, 2012     University of Tulsa - Center for Information Security
                    Chapter Security Summary:
                         Good Practices
• Create an enterprise DNS audit policy; use Active
  Directory DNS interface to log and monitor DNS
  events
• Use more than one DNS server to host each zone (for
  fault tolerance)
• DNS servers should be local, not across a site
  connection (such as WAN or slow-speed link)




November 14, 2012     University of Tulsa - Center for Information Security
                    Chapter 3:
              Active Directory
                Installation
                        Ryan Blanton


November 14, 2012    University of Tulsa - Center for Information Security
                                               Installation

• Active Directory Installation Wizard
  -DCPROMO.EXE (Command Prompt)
  -Start, Administrative Tools, Configure Your Server
• Installation Wizard Functions
    -Add domain controller to existing domain
    -Create first domain controller of new domain
    -Create new child domain
    -Create new domain tree
    -Install a DNS server with a default configuration
    -Create the database and database log files
    -Create the shared system volume
    -Remove Active Directory services from a domain controller




November 14, 2012             University of Tulsa - Center for Information Security
                                     Installation

• Active Directory Domain, Organizational
  Unit, and Site Topologies should be carefully
  considered before installation.
• DNS services should be installed and
  configured prior to Active Directory
  installation, unless default Active Directory
  Installation Wizard DNS configuration is
  acceptable.



November 14, 2012   University of Tulsa - Center for Information Security
                      Default Permissions

• Two options for permission preferences
     1. permissions compatible with pre-Windows 2000
        servers
     2. permissions compatible only with Windows 2000
        servers
• Built-in Pre-Windows 2000 Compatible
  Access Group is added to Access Control
  Lists and user rights throughout Active
  Directory and domain controller


November 14, 2012   University of Tulsa - Center for Information Security
                       Default Permissions

• Pre-Windows 2000 option:
     – Permissions compatible with pre-Windows 2000 based servers
       are selected
     – Everyone Group nested in pre-Windows 2000 Compatible
       Access Group
     – Allows anonymous users read access to information on the
       domain
     – Allows anonymous connections to server
• Windows 2000 servers only option:
     – Everyone Group is not nested



November 14, 2012    University of Tulsa - Center for Information Security
                           Default Permissions

• Adding/Deleting Everyone Group
     – net localgroup “Pre-Windows 2000 Compatible Access” everyone /add
     – net localgroup “Pre-Windows 2000 Compatible Access” everyone /delete




November 14, 2012        University of Tulsa - Center for Information Security
                    Directory Services Restore Mode

• During installation, Directory Services
  Restore Mode Administrator password is
  supplied
• Used to restore Active Directory DB from a
  backup and protect access to Active Directory
  database file stored on server (ntds.dit)
• Restore Mode password and user passwords
  stored in server’s local Security Accounts
  Manager (SAM) data store
• Password must be protected

November 14, 2012      University of Tulsa - Center for Information Security
                          Recommendations

• Set permissions compatible only with
  Windows 2000 servers if possible
     – choose “permissions compatible only with Windows 2000
       servers” option
• Use robust password guidelines when setting
  the Directory Services Restore Modes
  Administrator’s password.
     – consider using SYSKEY for additional security




November 14, 2012    University of Tulsa - Center for Information Security
                    Chapter 4:
        Domains and
     Organizational Units
                        Buddy Carter


November 14, 2012    University of Tulsa - Center for Information Security
                                         Overview

•   Domain Basics
•   Domain Administrators
•   Group Policy Objects
•   Default Users and Computers
•   Hiding Active Directory Objects in OUs
•   Summary




November 14, 2012   University of Tulsa - Center for Information Security
                    Background of Active
                         Directory
• Hierarchical structure
• Domains are the fundamental container
  objects in Active Directory
• Organizational Units (OUs) are created to
  further organized objects
• Security concerns specifically related to
  domains and OUs



November 14, 2012   University of Tulsa - Center for Information Security
                               Domain Basics

• Overview
  -Domain and Active Directory Characteristics
  -Permissions
  -Domain and OU Structure
  -OU Characteristics
  -Active Directory Installation Wizard




November 14, 2012   University of Tulsa - Center for Information Security
                               Domain Basics

• Domain and Active Directory Characteristics
  -Domains maintain backward compatibility
  with Windows NT domains and must match
  DNS names.
  -Active Directory domains represent a security
  boundary or partition due to permissions and
  authority




November 14, 2012   University of Tulsa - Center for Information Security
                               Domain Basics

• Permissions
  -Permissions and authority do not flow in or
  out of a domain
  -Therefore, Active Directory creates a security
  boundary
  -Can flow in and out of sites and OUs




November 14, 2012   University of Tulsa - Center for Information Security
                               Domain Basics
                    (Domain and OU Structure)




November 14, 2012   University of Tulsa - Center for Information Security
                               Domain Basics

• OU Characteristics
  -Typically created within the domain to further
  organize and contains individual resource objects (leaf
  objects)
      users
      computers
      shared folders
  -Primary container object used to delegate authority
  and link to GPOs
  -The other container objects used to delegate authority
  and link are domains and sites
November 14, 2012   University of Tulsa - Center for Information Security
                               Domain Basics

• Active Directory Installation Wizard
  -Used when creating a new child domain
  -What the AD Installation Wizard does:
      -creates a new domain
      -promotes the computer to a new domain
      controller
      -establishes a 2-way trust relationship with the
      parent domain
      -replicates schema and configuration directory
      partitions

November 14, 2012   University of Tulsa - Center for Information Security
                    Domain Administrators

• Overview
  -Default settings
  -Control
  -Domains Administrators Group
  -Delegating Administration Within a Domain




November 14, 2012   University of Tulsa - Center for Information Security
                    Domain Administrators

• Default settings
  -Domain Administrators are members of the
  Domain Admins group and the built-in
  Administrator account
  -Within the domain, domain administrators
  have full control
  -Have the right to take ownership of any
  object in the domain


November 14, 2012   University of Tulsa - Center for Information Security
                    Domain Administrators

• Control
  -Domain administrators can gain full control over any
  object in the domain, regardless of set permissions on
  that object
  -No way to prevent a domain admin or administrator
  from being able to take ownership (control) of an OU
  anywhere in the domain
  -NOTE: The Active Directory interface indicates that
  blocking or denying permissions is effective in
  blocking out any group or user including domain
  administrators, which is misleading

November 14, 2012   University of Tulsa - Center for Information Security
                    Domain Administrators

• Domains Administrators Group
  -Membership of the domains administrators
  group should be kept small and controlled.
  -Members should not be placed in OUs to
  manage sub-domain elements of the directory
  tree
  -Delegate administration within a domain



November 14, 2012   University of Tulsa - Center for Information Security
                    Domain Administrators

• Delegating Administration Within a Domain
  (example)
  -Create an OU for each logical subdivision of the
  domain
  -Create a local group for each subdivision representing
  the highest level administration in that subdivision
  -Assign the given group full control over its OU
  -If the subdivision is allowed to set their membership,
  place the subdivision’s administrators group into the
  OU. Otherwise, leave the group outside the OU.


November 14, 2012   University of Tulsa - Center for Information Security
                     Group Policy Objects

• Overview
  -Access Control List (ACL)
  -GPO Properties
  -Inheritance




November 14, 2012   University of Tulsa - Center for Information Security
                     Group Policy Objects

• Access Control List (ACL)
  -Default ACL is applied when an object is
  created in the directory
  -Beyond the default permissions of the ACLs,
  security management for Active Directory
  user and computer objects is largely
  performed with GPOs




November 14, 2012   University of Tulsa - Center for Information Security
                     Group Policy Objects

• GPO Properties
  -Performs security management for user and
  computer objects that are linked (applied) to
  domain, OU, and site container objects
  -Guidance for Group Policy can be found in the
    Guide to Securing Microsoft Windows 2000
    Group Policy mini-guide
    -By default, GPOs are inherited.


November 14, 2012   University of Tulsa - Center for Information Security
                     Group Policy Objects

• Inheritance
  -Flows from site to domain to OU
      Ex) Child OUs inherit GPOs from parent
          OUs
  -There is no GPO inheritance hierarchy for
  domains like there is for OUs




November 14, 2012   University of Tulsa - Center for Information Security
                     Group Policy Objects
                                (GPO Inheritance)




November 14, 2012   University of Tulsa - Center for Information Security
                    Default Users and Computers

• Overview
  -Default objects
  -Default users and computers folders




November 14, 2012      University of Tulsa - Center for Information Security
                    Default Users and Computers

• Default objects
  -Several default objects are created when
  Active Directory is installed on the first
  domain controller in a new domain
  -Objects include the following folders:
     Builtin
     Computer
     Users


November 14, 2012      University of Tulsa - Center for Information Security
                    Default Users and Computers

• Default users and computers folders
  -Should only be used, if needed, to initially
  plan and create a manageable OU structure
  -User and computer objects should be
  relocated to OU within the target structure as
  soon as possible




November 14, 2012      University of Tulsa - Center for Information Security
                    Hiding Active Directory
                        Objects in OUs
• Overview
  -Hiding Objects
  -Analyzing Hidden OUs
  -Regaining Control of Hidden Objects




November 14, 2012    University of Tulsa - Center for Information Security
                    Hiding Active Directory
                        Objects in OUs
• Hiding Objects
  -OUs can be created to hide objects
  -Blocking the “List Contents” permission for an OU
  makes the OU and its contents invisible to affected
  users.
  -Only users who can modify the ACL on an OU can
  hide objects in this way.
  -Helps with policies and objectives
  -Problem: Can be used as a “backdoor” to create a
  privileged user and place that user into a hidden OU
  container
November 14, 2012    University of Tulsa - Center for Information Security
                    Hiding Active Directory
                        Objects in OUs
• Analyzing Hidden OUs
  -When an administrator attempts to view a hidden
  OU, it will appear as an object without an icon
  -When the object’s security tab is selected, the security
  information will be unavailable.
  -These are indications to administrators that an OU
  has been created to hide Active Directory objects.
  -Administrator can take steps to regain control of a
  hidden object if the activity is suspicious



November 14, 2012    University of Tulsa - Center for Information Security
                    Hiding Active Directory
                        Objects in OUs
• Regaining Control of Hidden Objects
  1) Open another object to which the administrator
  has privilege
  2) View the security setting of the other object
  3) Return to the the security tab of the hidden object
  4) The security setting will now be visible and can be
  managed by the administrator
  5) The administrator can grant other objects rights to
  this OU
  6) The administrator can reset inherited permissions

November 14, 2012    University of Tulsa - Center for Information Security
                    Domain Controller Security

• Overview
  -Physical Security
  -SYSKEY Information
  -SYSKEY Concerns
  -Fault Tolerance




November 14, 2012     University of Tulsa - Center for Information Security
                    Domain Controller Security

• Physical Security
  -Having fewer copies of domain controller
  information physically accessible to
  unsupervised people reduces the risk for
  unauthorized access
  -Recommended to put domain controllers in a
  locked room to be kept physically secure
  -Physical access could allow an intruder to get
  copies of encrypted password data to use for
  an off-line attack
November 14, 2012     University of Tulsa - Center for Information Security
                    Domain Controller Security

• SYSKEY Information
  -Provides additional security
     -Described by Microsoft
    http://support.microsoft.com/support/kb/articles/q143/
    4/75.asp
           -Uses its own key that must be protected.




November 14, 2012     University of Tulsa - Center for Information Security
                    Domain Controller Security

• SYSKEY Concerns
  -A floppy containing the binary key could be used to
  bypass SYSKEY
  -Unattended system restart could require the
  SYSKEY material to be stored on the local hard drive,
  thus reducing the level of security
  -Forgetting a password
  -Could affect repair options for system recovery
  -Different Options for storage of SYSKEY startup
  keys


November 14, 2012     University of Tulsa - Center for Information Security
                    Domain Controller Security
                      (SYSKEY Password Storage)




November 14, 2012     University of Tulsa - Center for Information Security
                    Domain Controller Security

• Fault Tolerance
  -When Active Directory in first installed on
  the first domain controller, at least one
  additional domain controller should be
  installed
  -Prevents loss of the database if the first
  server crashes




November 14, 2012     University of Tulsa - Center for Information Security
                                         Summary

• Recommendations
  -Create separate domains as need to partition
  or compartment portions of Active Directory
  requiring different security or administrative
  policies
  -Physically secure domain controllers
  -As soon as possible, move default user and
  computer objects into OUs within the target
  OU structures

November 14, 2012   University of Tulsa - Center for Information Security
                                           Summary

• Good Practices
  -Membership of the domain administrators group should be kept
  small and controlled
  -Members of the domain administrators group generally should
  not be placed in OUs to manage sub-domain elements of the
  directory tree
  -Take steps to ensure that unauthorized hidden OU objects do
  not exist within the directory structure
  -Use SYSKEY to augment the the physical protection of domain
  controllers
  -At least one sub-domain or replica domain controller should be
  installed shortly after the first domain controller is installed to
  prevent loss of the database if the first server crashes



November 14, 2012     University of Tulsa - Center for Information Security
                    Chapter 5:
          Trees and Forests
                       Ryan Blanton




November 14, 2012    University of Tulsa - Center for Information Security
                                      Definitions

• Tree: collection of domains, connected by trust
  relationships, which share a contiguous DNS
  namespace
• Forest: collection of domains, connected by
  trust relationships, whose DNS namespace is
  not contiguous




November 14, 2012   University of Tulsa - Center for Information Security
                                        Definitions

• All domains in trees or forests have:
     – Global Catalog: holds a copy of every object in Active
       Directory, but with a limited number of each object’s
       attributes. (stores only attributes most frequently used in
       search operations and user logon, and attributes required to
       locate a full replica of the object)
     – Schema: defines classes and attributes of objects that can be
       created in the Active Directory DB
     – Configuration: naming context that is replicated to every
       domain controller in the forest




November 14, 2012     University of Tulsa - Center for Information Security
                      Design Considerations

• First domain created is root domain
  controller, tree root domain, and forest root
  domain
• First domain controller stores the Global
  Catalog, Schema, and Configuration
• Forest root domain, two predefined security
  groups created to manage forests
     1. Enterprise Admins: group authorized to make changes to
        entire forest in Active Directory (e.g. adding child domains)
     2. Schema Admins: group authorized to make schema changes
        in Active Directory


November 14, 2012      University of Tulsa - Center for Information Security
                    Design Considerations

• DNS, tree, and forest implementation hinges on first
  domain created
• sub-domains and trees to be included in forest must be
  linked with the first domain as Active Directory
  configurations are installed
• an established domain or tree cannot later join a
  forest
• non-transitive trust relationships can be provided to
  established domains, trees, or forests, but two-way
  transitive trust relationship is not available if domain
  or tree is not installed into forest root domain

November 14, 2012   University of Tulsa - Center for Information Security
                      Design Considerations

• After first domain is created, later Active Directory
  installations within forest can accomplish:
     – create a replica within a domain
     – create sub-domain that extends the namespace
     – create sub-domain with non-contiguous namespace
• Active Directory exchanges copies of Global Catalog,
  Schema, and Configuration among domain controllers
  when subsequent domain controllers are installed
• Within domain large portions of DBs exchanged
• Between domains only changes or updates are
  exchanged

November 14, 2012      University of Tulsa - Center for Information Security
                       Design Considerations

• Advantages of Single Domain Architecture
     – simplifies system management
     – easier to manage and trace Active Directory object access control and
       Group Policy inheritance (security benefit)
     – domain administrators have complete control over entire system
       (security benefit)
• Advantages of Multiple Domain Architecture
     – multiple domains can reduce replication traffic
     – might be easier to implement distinct security settings by using
       separate domains (security benefit)
     – might aid in transition from Windows NT domains to Windows 2000
       domains
     – separate domains may be required to block administrative authority
       from one part of system to another (security benefit)


November 14, 2012       University of Tulsa - Center for Information Security
                    Active Directory Trusts

• As each domain controller installed into a
  forest, a two-way, transitive trust between
  forest root or parent domain and new domain
  is created
• Since trust is transitive, the trust relationship
  is extended to all domains connected together
  with a transitive trust
• Transitive trusts distinguished as either
  parent-child trusts or trusts between tree
  roots

November 14, 2012   University of Tulsa - Center for Information Security
                    Active Directory Trusts

• Forest Trust
  Relationships




November 14, 2012   University of Tulsa - Center for Information Security
                     Active Directory Trusts

• Non-Transitive Trust: a one way trust that can be
  created between domains where transitive trust
  relationship does not or cannot exist
• Only necessary trust should be created
• Some situations:
     – between Windows 2000 domain and Windows NT domain
     – between two Windows 2000 domains in separate forests
• Non-transitive trusts are manually created (refer to
  guide)
• Can be created in both directions to provide for
  transitive trust

November 14, 2012     University of Tulsa - Center for Information Security
                     Active Directory Trusts

• Trusts between multiple forests
     – possible to link multiple forests with non-transitive trust
       relationships
     – reasons: merging systems, merging companies
• Currently no “good” forest merge capability, so
  system decision makers face with choices
     – maintain separate forests
     – manually recreate and copy objects from one forest to another




November 14, 2012      University of Tulsa - Center for Information Security
                      Active Directory Trusts

• Consequences of multiple forests
     – multiple schemas (maintaining consistency difficult and costly)
     – multiple configuration containers (maintaining consistency difficult)
     – explicit trusts between individual domains must be established and
       maintained
     – explicit queries must be made for resources outside forest
     – replication of information between forests will be manual
     – users logging on to computers in forests outside their own must use
       default (full domain path) User Principle Name (UPN) when logging
       in
     – accounts not easily moved between forests. Account moves must use
       cloning or a bulk import utility




November 14, 2012       University of Tulsa - Center for Information Security
                         Recommendations

• Do a significant amount of planning before
  creating DNS namespace, trees, and forests
  because many aspects of these structures
  cannot be later modified
• Maintain separate domains as needed to block
  administrative authority from one part of a
  system to another
• Bulk imported accounts should be inactive; a
  secure method to create or change the account
  as each account is activated must be devised

November 14, 2012   University of Tulsa - Center for Information Security
                                       Questions?




November 14, 2012   University of Tulsa - Center for Information Security

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:11/14/2012
language:English
pages:84