Security Planning and Administrative Delegation Lesson 6

Skills Matrix Technology SkillObjective DomainObjective # Creating an OU StructureMaintain Active Directory accounts 4.2

Lesson 6 Configuring Strong Passwords At least eight characters in length Contains uppercase and lowercase letters, numbers, and nonalphabetic characters At least one character from each of the previous character types Differs significantly from other previously used passwords

Lesson 6 Implementing Smart Cards for Authentication Users no longer need to remember passwords. All information is stored on the smart card, making it difficult for anyone except the intended user to use or access it. Security operations, such as cryptographic functions, are performed on the smart card itself rather than on the network server or local computer. This provides a higher level of security for sensitive transactions.

Lesson 6 Implementing Smart Cards for Authentication (cont.) Smart cards can be used from remote locations, such as a home office, to provide authentication services. The risk of remote attacks using a username and password is significantly reduced by smart cards.

Lesson 6 Installing Active Directory Certificate Services Click Start, and then select Server Manager. Click Roles, and then select Add roles. On the Select Server Roles screen, place a checkmark next to Active Directory Certificate Services and click Next. Click Next after you read the information displayed.

Lesson 6 Installing Active Directory Certificate Services (cont.) Select the Certification Authority component, and click Next to continue. Select Enterprise and click Next to continue.

Lesson 6 Installing Active Directory Certificate Services (cont.) Select Root CA, and click Next to continue. Select Create a new private key, and click Next to continue. On the Configure Cryptography for CA screen, click Next to accept the default values for the cryptographic service provider (CSP), key character length, and hash algorithm.

Lesson 6 Installing Active Directory Certificate Services (cont.) Click Next to accept the default values. On the Set the Certificate Validity Period screen, select a validity period of 2 years, and click Next to continue.

Lesson 6 Installing Active Directory Certificate Services (cont.) Click Next to accept the default values and continue. Click Install after you confirmed your installation choices. Click Close after the installation has completed.

Lesson 6 Enabling a User Account for Smart Card Authentication Open Active Directory Users and Computers. Navigate to the container holding the user you wish to modify. Right-click the user account, and select Properties.

Lesson 6 Enabling a User Account for Smart Card Authentication (cont.) In the Properties dialog box, select the Account tab. In the Account Options list, click Smart Card Is Required For Interactive Logon, and then click OK.

Lesson 6 Using Run As from the GUI From the Start button, navigate to the application you wish to run. Press and hold the Shift key, and right-click the desired application. Select the Run as administrator option.

Lesson 6 Using Run As from the GUI (cont.) If you are already logged on as an administrative user, you will be presented with a User Account Control confirmation dialog box. Click Continue to launch the selected program using administrative credentials.

Lesson 6 Delegating Administrative Control of an OU Open Active Directory Users and Computers. Right-click the object to which you wish to delegate control, and click Delegate Control. Click Next on the Welcome to the Delegation of Control Wizard page. Click Add on the Users or Groups page.

Lesson 6 Delegating Administrative Control of an OU (cont.) In the Select Users, Computers, or Groups dialog box, key the user or group to which you want to delegate administration in the Enter the object names to select box, and click OK. Click Next to proceed. Click Create a custom task to delegate, and click Next.

Lesson 6 Delegating Administrative Control of an OU (cont.) Click This folder, existing objects in this folder, and creation of new objects in this folder. Click Next to proceed.

Lesson 6 Delegating Administrative Control of an OU (cont.) On the Permissions page shown in Figure 6-9, set the delegated permissions according to your needs for the user or group that has delegated control. After selecting the appropriate permissions, click Next to proceed. Review your choices carefully, and click Finish.

Lesson 6 Verifying and Removing Delegated Permissions Open Active Directory Users and Computers. Click the View menu, and then click Advanced Features. Navigate in the left pane to the object for which you wish to verify delegated permissions, right- click the object, and select Properties. On the Security tab, click Advanced.

Lesson 6 Verifying and Removing Delegated Permissions (cont.) On the Permissions tab under Permissions entries, view the assigned permissions. Select the user or group for which you wish to remove delegated control privileges, and click Remove. Click OK twice to exit the Properties window.

Lesson 6 Moving an Object Between OUs Using Drag-and-Drop In Active Directory Users and Computers, select the object you wish to move.  If you wish to move multiple objects, press and hold the Ctrl key while selecting the objects you wish to move. While holding down the left mouse button, drag the object to the desired destination OU and release the mouse. The object will appear in its new location.

Lesson 6 Moving an Object Between OUs Using the Move Option In Active Directory Users and Computers, select the object you wish to move.  If you wish to move multiple objects, press and hold the Ctrl key while selecting the objects you wish to move. Right-click the selected object(s), and select Move from the shortcut menu.

Lesson 6 Moving an Object Between OUs Using the Move Option (cont.) In the Move dialog box, select the container object that is the destination for the selected objects, and click OK.

Summary You Learned Creating a naming standards document will assist in planning a consistent Active Directory environment that is easier to manage. Securing user accounts includes educating users to the risks of attacks, implementing a strong password policy, and possibly introducing a smart card infrastructure into your environment.

Summary You Learned (cont.) As part of creating a secure environment, you should create standard user accounts for administrators and direct them to use Run as administrator or runas when performing administrative tasks. When planning your OU structure, consider the business function, organizational structure, and administrative goals for your network. Delegation of administrative tasks should be a consideration in your plan.

Summary You Learned (cont.) Administrative tasks can be delegated for a domain, OU, or container to achieve a decentralized management structure. Permissions can be delegated using the Delegation of Control Wizard. Verification or removal of these permissions must be achieved through the Security tab in the Properties dialog box of the affected container.

Summary You Learned (cont.) Moving objects between containers and OUs within a domain can be achieved by using the Move menu command, the drag-and-drop feature in Active Directory Users and Computers, or the dsmove utility from a command line.