Active Directory security is not a single setting; it is a compilation of settings that is multifaceted and can become very complex Regardless of the size of the company, a firm grasp of Active Directory security settings is necessary to ensure a secure and stable IT infrastructure.
During the design phase of Active Directory, the security of Active Directoryobjects should be considered and documented. The objects that need to be considered for security include:
Domain controllers Servers Client computers User accounts Group accounts OUs GPOs
administration for Windows Active Directory spans well beyond the Active Directory database. With Active Directory, security needs to be considered for all aspects of objectmanagement, GPO management, DNS management, and general domain controller management.
the AD implementation is allowed to progress without considering the security related to delegation of administration, the process to rearrange the objects to support a desired delegation model becomes very difficult. There are general guidelines that you need to keep in mind as you consider the security ofthe directory administration:
The rules that applied to NT usually don’t apply to Win2K and WS2K3 AD. This idea is difficult for many companies and administrators to get past. Much of the failure to consider this reasoning is that the NT methods have been in place for years and seem to work well. The AD security design needs to take full advantage of the power of AD. It is a shame to havecompanies spend so much time, effort, and money moving from NT to Win2K and WS2K3 AD to then not take advantage of the power that AD provides. The power of AD is in the ability to reduce the number of domains, which in turn, reduces the number of domain controllers, administrators, and trusts (administrative overhead) and increases the ability to centrally administer the environment. The groupdesign is essential for optimizing the security configuration of the directory. In some OSs, it is common to have built-in groups that provide widespread power over accounts, servers, and services. With AD, these groups can still be used, but it is better to also use other groups that will be delegated administrative control over specific aspects of AD. The reason this design is better is that thebuilt-in groups many times have control over all user accounts or all servers. With the delegation model, groups have control over a subset of the user or computer accounts. In addition to the limitation of object scope, the delegated group usually has a limitation set on the capabilities over those objects as well.
are many boundaries that are defined within AD. Some ofthe boundaries are hard coded and others can be created manually. The boundaries are usually defined based on where the delegation of administration is established. There are three primary drivers for delegation of administration of AD: organizational, operational, and legal. These delegation drivers must be included when the AD structure is created.
Organizational—In this delegation model,parts of the organization share the infrastructure to save costs but must have the ability to operate independently from the rest of the organization.
Operational—In this delegation model, a part of the organization or a specific application (or service) can create special constraints compared with the other components of AD. These constraints might include directory configurations,availability, or security. Examples of this model include military, hosting, extranets, and outward-facing AD environments.
Legal—In this delegation model, a legal requirement forces a part of the organization to function in a more secure or specific way. This might require restricted access to AD services or data. Examples of this model include financial and government agencies.