What is Active Directory?
Active Directory is a
database that keeps track of all the user accounts and passwords in
your organization. It allows you to store your user accounts and
passwords in one protected location, improving your organization's
security.
Active Directory is subdivided into one or more domains.
A domain is a security boundary. Each domain is hosted by a server
computer called a domain controller (DC). A domain controller manages
all of the user accounts and passwords for a domain.
Domains and the Domain Name System (DNS)
Domains
are named using the Domain Name System (DNS). If your company is called
ACME Corporation your DNS name would be (for example) acme.com. This is
the top-level domain name for your company. The security domain in
Active Directory maps directly to the DNS domain name.
For larger
organizations you can subdivide Active Directory into child domains
(based on on geography for example). If ACME Corporation has three
divisions named West, Central, and East, the sub-domains can have the
DNS names west.acme.com, central.acme.com, and east.acme.com.
Each
domain requires a server computer. In the above scenario you would need
at least four servers to host Active Directory as follows:
- acme.com
- west.acme.com
- central.acme.com
- east.acme.com
Active
Directory, also referred as an AD, originally created in the year 1996,
it was first used with Windows 2000 Server as a directory service for
Windows domain networks. Active Directory is a special purpose database,
which serves as a central location for authenticating and authorizing
all the users and computers within a network. Active Directory uses the
Lightweight Directory Access Protocol (LDAP), an application protocol
used for accessing and maintaining directory information services
distributed over an IP network.
The basic internal structure of
the Active Directory consists of a hierarchical arrangement of Objects
which can be categorized broadly into resources and security principles.
Some of the examples of Active Directory objects are users, computers,
groups, sites, services, printers, etc. Every Object is considered as a
single entity with some specific set of attributes. The attributes of
Objects along with the kind of objects that can be stored in the AD are
defined by a Schema.
The intrinsic framework of Active Directory
is divided into a number of levels on the basis of visibility of
objects. An AD network can be organized in four types of container
structure namely, Forest, Domains, Organizational Units and Sites.
- Forests: It is a collection of AD objects, their attributes and set of attribute syntax.
- Domain: Domain is a collection of computers objects in the AD which share a common set of policies, a name and a database of their members.
- Organizational Units: OUs are containers in which domains are grouped. They are used to create a hierarchy for the domain to resemble the structure of the Active Directory's company in organizational terms.
- Sites: Sites are independent of domains and OU structure and are considered as physical groups defined by one of more IP subnets. They are used to distinguish between locations connected by low- and high-speed connections.
Active Directory Domain Services
Active
Directory Domain Services (AD DS), formerly known as Active Directory
Domain Services, is the central location for configuration information,
authentication requests, and information about all of the objects that
are stored within your forest. Using Active Directory, you can
efficiently manage users, computers, groups, printers, applications, and
other directory-enabled objects from one secure, centralized location.
Active Directory Rights Management Services
Your
organization’s intellectual property should be safe and highly secure.
Active Directory Rights Management Services (AD RMS), a component of
Windows Server 2008 R2, is available to help make sure that only those
individuals who need to view a file can do so. AD RMS can protect a file
by identifying the rights that a user has to the file. Rights can be
configured to allow a user to open, modify, print, forward, or take
other actions with the rights-managed information. With AD RMS, you can
now safeguard data when it is distributed outside of your network.
Active Directory Federation Services
Active
Directory Federation Services is a highly secure, highly extensible,
and Internet-scalable identity access solution that allows organizations
to authenticate users from partner organizations. Using AD FS in
Windows Server 2008 R2, you can simply and very securely grant external
users access to your organization’s domain resources. AD FS can also
simplify integration between untrusted resources and domain resources
within your own organization.
Active Directory Certificate Services
Most
organizations use certificates to prove the identity of users or
computers, as well as to encrypt data during transmission across
unsecured network connections. Active Directory Certificate Services (AD
CS) enhances security by binding the identity of a person, device, or
service to their own private key. Storing the certificate and private
key within Active Directory helps securely protect the identity, and
Active Directory becomes the centralized location for retrieving the
appropriate information when an application places a request.
Active Directory Lightweight Directory Services
Active
Directory Lightweight Directory Service (AD LDS), formerly known as
Active Directory Application Mode, can be used to provide directory
services for directory-enabled applications. Rather than using your
organization’s AD DS database to store the directory-enabled application
data, AD LDS can be used to store in its place. Two components work in
conjunction to provide you a central location for security accounts (AD
DS) and another location to support the application configuration and
directory data (AD LDS). You can also reduce the overhead associated
with Active Directory replication, without extending the Active
Directory schema to support the application, and you can partition the
directory structure so that the AD LDS service is only deployed to the
servers that need to support the directory-enabled application.
The advantages of Active Directory for managing user accounts:
1. It will provide fully integrated security in the form of user logon's and authentication.
2. It makes easy in administration in the form of group policies and permissions.
3. It makes easy to identify the resources.
4. It will provide scalability, flexibility and extentiability.
5. It is tightly integrated with DNS services for all its operations, which will provide better in identifications and migrations.
6. It services will provide Automatic replication of information between the domain controllers.
7. It supports integration of the other directory services also.
8. It supports multiple authentication protocols.
2. It makes easy in administration in the form of group policies and permissions.
3. It makes easy to identify the resources.
4. It will provide scalability, flexibility and extentiability.
5. It is tightly integrated with DNS services for all its operations, which will provide better in identifications and migrations.
6. It services will provide Automatic replication of information between the domain controllers.
7. It supports integration of the other directory services also.
8. It supports multiple authentication protocols.
There
are plenty of built-in groups to choose from. There are some groups
which are used for administration of Active Directory, services, and
other important directory service features. These groups are located in
the Users container, as shown in Figure 1. These groups include:
- Cert Publishers
- DNSAdmins
- Domain Admins
- DHCP Admins
- Enterprise Admins
- Group Policy Creator Owners
- Schema Admins
These
groups are essential for Active Directory and should be used to provide
administrative control over these areas. It is not really possible to
use Delegation to replace the functions that these groups provide.
Another
category of built-in groups fall under a different place in the Active
Directory. They are located in the Builtin container, as shown in Figure
2. These groups include:
- Administrators
- Account Operators
- Backup Operators
- Server Operators
- Print Operators
The
built-in groups have a very distinct scope. They are designed to be
used on the domain controllers and the domain controllers only. We know
this because all of these groups are Domain Local (Local in Windows NT).
This means that they are to be used to provide privileges to
administrators that need to perform tasks on the domain controllers.
Another
way to confirm this is that each local Security Accounts Manager (SAM)
on the clients and servers have their own local built-in groups to
perform these duties. The Administrators and Backup Operators groups are
in every SAM. The other groups are not needed on the local SAM, because
the Administrators group or Power Users group provides the privilege to
accomplish the associated tasks on a client or server.
It is
important to not only know the scope of these built-in groups, but also
the capabilities of these groups. Table 1 lists what each group can do.
Administrators
|
Account Operators
|
Backup Operators
|
Print Operators
|
Server Operators
| |
| Create, delete, and manage user and group accounts |
X
|
X
| |||
Read all user information
|
X
|
X
|
X
| ||
Reset password for user accounts
|
X
|
X
| |||
Share directories
|
X
|
X
| |||
Create, delete, and manage printers
|
X
|
X
|
X
| ||
Backup files and directories
|
X
|
X
|
X
| ||
Restore files and directories
|
X
|
X
|
X
| ||
Log on locally
|
X
|
X
|
X
|
X
|
X
|
Shut down the system
|
X
|
X
|
X
|
X
|
X
|
Table 1: Privileges of built-in groups in Active Directory
As
you scan through the capabilities that the members of the built-in
groups have, keep in mind that these capabilities have the scope of all
domain controllers in the domain, as well as all objects within the
domain. Therefore, if you add a user to one of these groups, you can’t
scale down their scope of influence.
For example, it is common to
want to have a junior administrator or the helpdesk staff to reset
passwords for users in the domain. With the built-in groups, you would
simply add them to the Account Operators group to accomplish this.
However, take a look at the other privileges that this membership
provides them. They can also perform all of the following tasks:
- Create, delete, and manage user accounts
- Create, delete, and manage group accounts
- Log on locally
- Shut down the system
As
you can see, these additional privileges vastly expand the scope of
influence compared to the original desire to just have the
administrators reset passwords.
Another key point about our
example is to consider which user accounts they would be able to reset
the password for. If you give a user membership in the Account Operators
group, they will be able to reset the password for the following users:
- Administrator account
- All IT staff
- Executives
- HR personnel
source: microsoft & windowsecurity
No comments:
Post a Comment