Professional Documents
Culture Documents
Security Planning and Administrative Delegation: Lesson 6
Security Planning and Administrative Delegation: Lesson 6
Administrative Delegation
Lesson 6
Skills Matrix
Technology Skill
Objective Domain
Objective #
Creating an OU Structure
4.2
Naming Standard
User logon names will typically follow a
corporate naming standard set forth during
the planning stages of an Active Directory
deployment.
You will usually create a naming standards
document to outline the rules for naming all
Active Directory objects.
This document will specify conventions
such as the number and type of characters
to use when creating a new object in Active
Directory.
Strong Passwords
Since user names are often easily
guessed, it is essential to have strong
passwords:
At least eight characters in length.
Contains uppercase and lowercase letters,
numbers, and non-alphabetic characters.
At least one character from each of the
previous character types.
Differs significantly from other previously
used passwords.
Strong Passwords
A strong password should not be left blank or
contain any of the following information:
Your user name, real name, or company
name.
A complete dictionary word.
Windows passwords for Windows Server
2008, Windows Vista, Windows Server 2003
and Microsoft Windows XP clients can be up
to 127 characters in length.
Strong Passwords
Authentication
Authentication is the process of proving
who you are.
There are multiple methods of
authentication:
What you know (password or PIN).
Who you are (retinal scan or thumb print).
What you have (smart card).
Smart Card
Smart cards are cards about the size of a
credit card.
Login information can be stored on the
smart card, making it difficult for anyone
except the intended user to use or access
it.
Security operations, such as cryptographic
functions, are performed on the smart card
itself rather than on the network server or
local computer. This provides a higher
level of security for sensitive transactions.
Administrative Accounts
You should not use an account possessing
administrative privileges for daily tasks, such as
browsing the Web or monitoring email.
Administrative accounts should be reserved for tasks
that require administrator privileges.
Using the Administrator account or an account that is
a member of Domain Admins, Enterprise Admins, or
Schema Admins for daily tasks offers an opportunity
for hackers to attack your network and potentially
cause severe and irreversible damage.
Limiting the use of the Administrator account for daily
tasks, such as email, application use, and access to
the Internet, reduces the potential for this type of
damage.
Organizational Units
Can be created to represent your
companys functional or geographical
model.
Can be used to delegate administrative
control over a containers resources to
lower-level or branch office administrators.
Can be used to apply consistent
configuration to client computers, users
and member servers.
Delegation of Control
Creating OUs to support a decentralized
administration model gives you the ability
to allow others to manage portions of your
Active Directory structure, without affecting
the rest of the structure.
Delegating authority at a site level affects
all domains and users within the site.
Delegating authority at a domain level
affects the entire domain.
Delegating authority at the OU level affects
only that OU and its hierarchy.
Delegation of Control
Using the Delegation of Control Wizard,
you utilize a simple interface to delegate
permissions for domains, OUs, or
containers.
The interface allows you to specify to
which users or groups you want to
delegate management permissions and the
specific tasks you wish them to be able to
perform.
You can delegate predefined tasks, or you
can create custom tasks that allow you to
Summary
Creating a naming standards document
will assist in planning a consistent Active
Directory environment that is easier to
manage.
Securing user accounts includes
educating users to the risks of attacks,
implementing a strong password policy,
and possibly introducing a smart card
infrastructure into your environment.
Summary
As part of creating a secure environment, you
should create standard user accounts for
administrators and direct them to use Run as
administrator or runas when performing
administrative tasks.
When planning your OU structure, consider the
business function, organizational structure, and
administrative goals for your network.
Delegation of administrative tasks should be a
consideration in your plan.
Summary
Administrative tasks can be delegated for
a domain, OU, or container to achieve a
decentralized management structure.
Permissions can be delegated using the
Delegation of Control Wizard.
Verification or removal of these
permissions must be achieved through the
Security tab in the Properties dialog box of
the affected container.
Summary
Moving objects between containers and
OUs within a domain can be achieved by
using the Move menu command, the dragand-drop feature in Active Directory Users
and Computers, or the dsmove utility from
a command line.