Active Directory is designed to allow a very large number of users to efficiently access potentially every network resource in the enterprise. Universal access can be great for productivity, but this freedom can pose a significant challenge to maintaining network security. It is absolutely essential that you take a systematic approach to ensuring security on your network. Security issues permeate all aspects of resource management. We cover various security topics throughout the entire book.
Active Directory is very good at displaying a lot of information in an easy-to-use directory structure. This approach is extended to managing your security configuration. You can store security settings in a single file, called a security template .
There is a Security Template Console snap-in available for the MMC, but it’s not installed by default. Installing this console will simplify the process of creating security templates. You can install this snap-in using the following steps:
Open the Microsoft Management Console and choose Console → Add/Remove Snap-In → Add.
You’ll see the Add Standalone Snap-In screen, shown in Figure 13-4. Choose Security Templates, click Add, and then press Close.
Click the OK button and then click Save.
Name the security console whatever you’d like and click the Save button.
You’ll now be able to use this snap-in to configure and view security templates. There are many predefined security templates that you can modify to suit the needs of your network. You can create your own templates from scratch, but I recommend modifying an existing template until you become thoroughly familiar with all the possible security settings.
The Security Configuration and Analysis Console is an MMC snap-in that can be used to configure, analyze, and modify security settings. Security templates can be imported into the console, modified if needed, and applied to the relevant policy to actually implement the changes. Most security needs can be met by the modification of existing security templates, rather than configuring an entire security policy from scratch.
The Security Configuration and Analysis Console will also check the current security settings and provide a report. This report not only will display areas that need to be secured, but will also allow you the option of letting the computer fix any potential security problems for you. Although this is very convenient, you should verify that the changes are adequate to ensure a secure environment.
You can create a security database into which you can import multiple security templates. You can import new templates into this database as needed. Both of these tasks can be performed using the following steps:
If you have an existing security database and you want to import another template, follow these steps:
Right-click on the Security Configuration and Analysis node in the MMC and choose Open Database.
Right-click on the appropriate database and choose Import Template.
You’ll see the Import Template screen. Choose a template and click OK.
If you need to replace a template in the database rather than just merge one in, there is an option to clear the database before importing in the Import Template screen.
One of the traditional tools network administrators use is the log file . A log file records events that have occurred on the network and can provide valuable clues in the event of a breach of security. They can be used to monitor and evaluate network performance and provide baseline data to compare with future activity.
An audit policy defines what will be recorded in the log file. You can audit activities, such as file access, login activity, resource usage, process tracking, and account management. You can apply an audit policy to a domain controller, stand- alone server, printer, or specific files or folders using the MMC. Auditing must be configured before the Event Viewer can be used to monitor audited events. You can create an audit policy for files and folders by using the following steps:
Right-click on the appropriate icon, choose Properties, and click on the Security tab.
Choose the Advanced button and click on the Auditing tab, then click the Add button.
Choose the users and groups for the policy to apply to and click OK.
You’ll see a list of events with a Successful and Failed checkbox available. Click the boxes for the events you want to audit for the given users or groups.
Active Directory allows for two different types of trust relationships . A trust relationship is set up between a trusting domain and a trusted domain . The trusting domain allows users in the trusted domain to log in. Group Policy security in the trusting domain still applies to the users logging in from the trusted domain.
The default trust relationship between Windows 2000 domains in a tree and root domains in a forest is a two-way transitive trust . This means that if tree A trusts tree B and tree B trusts tree C, tree A automatically trusts tree C and vice-versa, without any separate trust relationships between A and C.
Because each subdomain in a tree trusts the root domain and the root domain trusts its subdomains, every subdomain in a tree automatically trusts every other subdomain in the tree. Because every root domain in a forest trusts every other root domain in the forest, every subdomain of every tree in the forest trusts every other subdomain in the forest. This greatly simplifies trusts in a Windows 2000 network compared to the Windows NT trust scheme.
The second type of trust relationship possible in Windows 2000 is a one-way nontransitive trust . This was the only option in Windows NT. In a nontransitive trust relationship, domain A decides to trust users in domain B. Domain A becomes the trusting domain in this relationship, because it trusts the users in domain B. Domain B becomes the trusted domain, because its users are trusted by domain A. Users in domain B can now log in to domain A, but users in domain A cannot log into domain B, unless a separate nontransitive trust relationship is established.
Nontransitive trusts can be set up between two Windows 2000 domains in different forests or between a Windows 2000 domain and a Windows NT domain. You can also set up a nontransitive trust between a Windows 2000 domain and a compliant Kerberos realm.