Friday, August 3, 2007

Beef up Active Directory security with these three steps

The Active Directory (AD) structure and the data contained in that structure are the keys to a Windows domain, and it’s vital that you implement the proper security and delegation. Here are three simple steps you can take to boost AD’s security.

The Active Directory (AD) structure and the data contained in that structure are the keys to a Windows domain. If you don’t implement proper security and delegation on AD, you could mistakenly grant your users more privileges and rights than they actually need.

And when it comes to mistakes, the AD structure isn’t very forgiving. Putting the wrong privileges in the wrong hands could lead to a complete rebuild of your domain. That’s why it’s important to take three simple steps to better protect your AD implementation — plan, delegate, and audit.


Map out your company’s departmental structure. Then, use this diagram to create your own organizational units (OUs), and give them names that are meaningful to your company.

The reason for this is two-fold. By designing and naming your own OUs, you’ll create a logical place for all of your users, all of your user groups, and all of your hardware. This simplifies management of these items through the Group Policy Editor, making administration of your domain a lot easier.

In addition, creating your own OUs allows you to design your own security policy for the different OU types. This is important because the default permissions on the OUs built into AD aren’t as restrictive as they should be.


Administering an AD domain is a big job, and the same person or the same account shouldn’t be responsible for everything. Too many privileges tied to one account spell disaster: If an intruder compromises that account or the person holding that account leaves (or becomes disgruntled), your entire domain would be at risk.

Instead, your AD implementation should include two types of administrators: data administrators and service administrators. This helps spread out the responsibility, boosting security in the process.

Data administrators
These admins are responsible for maintaining the information stored in AD. This has nothing to do with files and folders; these administrators are in charge of user accounts, computer accounts, group accounts, and so on. A data administrator is similar to the Account Operators group of an NT domain.

Because AD requires control over all computers, it’s essential that any computer connected to your internal network is part of the domain. Otherwise, you have a computer inside your security boundary that you have no control over.

When creating accounts and groups for data administrators, assign only those rights and privileges necessary to administer the OUs within their control. In addition, make sure these accounts don’t have privileges to browse the Internet or read e-mail.

In addition, don’t allow data administrators to create accounts for other data administrators; service administrators should be responsible for this. These steps plug a tremendous security hole and force the account holders to perform only their assigned functions when using the account.

Service administrators
These admins are responsible for the day-to-day, behind-the-scenes tasks of managing and maintaining the domain. They’re also responsible for managing all of the different services the domain offers to its users. This includes the domain name system (DNS); availability of the global catalog (GC) servers; replication of data through distributed file system (DFS); your company’s domain controllers (DCs) and different sites within your forest; trust relationships with other domains; and, most important, the AD schema.

The service administrator role is quite powerful, and you should reserve this position for the most experienced and knowledgeable members of your team. Keep in mind that while these administrators have more privileges than the data administrators, their actions are also under more scrutiny.


No AD implementation would be complete without the auditing of objects and events. It’s an important part of the process — and not only as a measure of determining the succes


Duncan Powell said...

Great rules, thanks! You've hit the main things. From our experience it's also very important to use special tools that can not only perform some advanced operations that you're unable to do with the native ones but they can also simplify some tasks. For active directory management and securing there are plenty of utilities. For example, a highly recommended one is active administrator from scriptlogic - it works like a treat. There are also some tools from other vendors but I wasn't as impressed with them.

Aurobindo said...

Duncan Powell

thanx for ur appreciation... keep on replying like this.