Security business requirement

Security technical requirement

Design forest
Design domain
Design OU

Single
Multiple

Domain
Forest

ids.com

ce.ids.com

it.ids.com

Once you decide to create single or

multiple forest , next step is to
determine how many domain you want
in your organization

Designing Domain

Deploying Single Domain Deploying Multiple Doma

 When

simplicity in a forest is your goal than

single domain is the best decision for an
active directory design
Choosing single domain will have following
effect in your active directory

 It

reduce management of forest , if

forest have single domain , than domain
admin is also a forest admin
It reduce number of require DCs , by
deploying single domain you are
reducing cost of hardware

 It

reduce the dependency on a global

catalog server for authentication.
When authenticating in a native mode
domain, the authenticating DC connects to
a global catalog server to determine
universal group membership for the
authenticating security principal.
This is not required in a single domain
environment because the authenticating
DC knows about all objects in the forest.

 It

provides easier migration path to

multiple domain
Single domain multiple easy
Multiple Single domain difficult

Because of several technical reasons you

have to some time deploy multiple
domains
Key reason is a requirement for differing
account policies
Account policies can apply at domain level
There is no way to implement varying
account policies in single domain

Password policy : define characteristics of

password that may be used for
authentication
Account lockout Policy : specify which
action to be taken after number of failed
logon attempt
Kerberos Policy : defines maximum ticket
lifetime for authentication

Account policies must be defined carefully

Dont make too much restrictive otherwise
it can lead to increase help desk calls from
users whose accounts have been locked
out.
Restrictive password policies actually
reduce network security in some case

Different area of organization cant agree on

same password policy , so different domain
have different password policy
Password policies are .

Enforce password history : prevent users to

reusing same password, policy can have value
between 0 and 24 passwords being
remembered.
Maximum password age : defines how
frequently password must change , policy can
have value from 0(password will never expire) to
999 days
Minimum password age : defines how long
newly password must exist before user change it
Minimum password Length
Password Must Meet Complexity
Requirements : controls format of password
entered by user

UPPER CASE
lower case
1234567890(numeric)
!@#$%^&* (symbols)
Password cant contain users account name

Stores password using reversible

encryption for all users in the
domain :
The password is saved in this format
after the user has changed the password
for the first time after this policy is set.

Reversible encryption is used by IIS when

configured to use digest authentication
by dial-in user using CHAP

Account lockout duration : Values can be 0

to 99,999 minutes. If defines as 0 than admin
has to manually unlock account
Account lockout threshold : defines how
many incorrect logon attempt are allowed ,
values are 0 to 999 logon attempts.
Reset account lockout counter after :
defines how frequently account example, if
lockout counter is reset to zero. For this policy
is defined as 30 minutes, the account lockout
counter will be reset to a value of zero after a
period of 30 minutes has passed since the last
failed logon attempt.

The Kerberos policy defines settings for the

Kerberos v5 authentication protocol.
These settings apply to all computers and
users in the domain where the policy is
defined. The Kerberos policy settings
available in account policy include

Enforce user logon restriction : it prevents a

lockout account from acquiring any additional
service ticket after account is locked
Maximum lifetime of service tickets : how
long service ticket can be stores in service ticket
cache , after time out account will renew service
ticket
Maximum life time for user ticket : after
exciding this value ticket will be discarded from
cache
maximum life time for user ticket renewal :
once this period expires user have to get it from
KDS
Maximum tolerance for computer clock
synchronizationDefines how much a client computers clock can
be out of sync with a servers computer clock. If
the clocks are out of sync by a period greater than
this policy setting, the authentication will fail.

Differing account policies

Replication issues : branch office is
connected to Main office via WAN link than
..
International Considerations : some
countries require management to take
place within a country where network is
located
Political reasons

ids.com

ce.ids.com

it.com

it.ids.com

Three domains design

For ids

ee.it.com
Two domain design for it