Windows 2000 Active Directory Security

     Security principals are Active Directory objects that are assigned security identifiers (SIDs). A SID is a unique identifier that is used to manage any object to which permissions can be assigned.

     A foreign security principal allows permissions to be assigned to users that are not part of the Acitve Directory forest. The foreign security principals can be added to Domain Local groups which, in turn, can be granted permissions for resources within the domain.

     Delegation is the process by which a higher-level security administrator assigns permissions to other users. This is useful assigning other users small administrative tasks such as managing an OU or resetting passwords for an OU.

     There are three basic types of Active Directory objects that serve as security principals and are the basis of the Active Directory security architecture. These are:

User Accounts
Security Groups
Computer Accounts

Users and Groups

The fundamental security principals that are used for security administration include Users and Groups. Here, we will focus on how Users and Groups interact and the different types of Groups that can be created.

Group Scope

The scope of a Group defines two characteristic, first, it determines the level of security that applies to a Group, second, it determines which users can be added to the group. Group scope is an important concept in network environments because it ultimately defines which resources users will be able to access.

The three types of Group scope are as follows:

Domain Local

The scope of Domain Local groups extends as far as the local machine. They can contain Global groups, Universal groups, and User accounts.
Global

The scope of Global groups is limited to a single domain. Global groups may contain any of the users that are a part of the Active Directory domain in which the Global group resides. Global groups are often used for managing domain security permissions based on job functions.
Universal

Universal groups can contain users from any domains within an Active Directory forest. Therefore Universal groups are used to manage security across domains within a forest. Universal groups are only available when the Active Directory is running in native mode. Universal groups usually contain Global groups that pertain to the same job funtions across the forest.

If you had domain1 Engineering and domain2 Engineering Global groups, you could nest the two Global groups in a Universal group named corpEngineers. When you want to change corporate access permissions for all engineers in the company, you can make changes to the Universal group.

In order to process authentication between domains in an AD forest, information about the memebership in Universal groups is stored in the Global Catalog (GC). Keep in mind if you ever plan to place Users directly into Universal groups, bypassing Global groups, the Global Catalog will grow in size, thus degrading replication performance throughout the forest.

Built-in Local Groups

Built-in Local groups are used to perform adminstrative functions on the local server. These groups have predefined permissions and priviledges which allow administrators to easily assign common management functions.

Account Operators - Members of this group can create and modify Domain User and Group accounts. Members of this group are generally responsible for the daily administration of the AD.
Administrators - Members of the administrators group are given full permissions to perform any function within the AD domain and on the local computer. This includes the ability to access all files and resources that reside on any server within the domain.
Backup Operators - Members of the backup operators group are able to bypass standard file system security for the purpose of backup and recovery only. They cannot, however, directly access or open files within the file system.
Guests - The Guests group is generally used for providing access to resources that generally do not require security.
Print Operators - Members of the print operators group are given permissions to administer all of the printers within a domain. This includes common functions such as changing the priority of print jobs and deleting items from the print queue.
Replicator - The replicator group was created to allow the replication of files between the computers in a domain. Accounts that are used for replication-related tasks are added to this group to provide them with the permissions necessary to keep files synchronized across multiple computers.
Server Operators - Members of the server operators group are granted the permissions necessary to manage services, shares, and other system settings.
Users - The users group is often used as a generic grouping for network accounts. This group is given minimal permissions and is used for the application of security settings that apply to most employees within an organization.

Predefined Global Groups

Global groups are used for managing permissions at the domain level. The following predefined Global groups are installed in the Users folder:

Cert Publishers - Users accounts are placed within the Cert Publishers group if they require the ability to publish security certificates. Generally, these accounts will be used by Active Directory security services.
Domain Computers - All of the computers that are a member of the domain are generally members of the Domain Computers group. This includes any workstations or servers that have joined the domain but does not include the domain controllers.
Domain Admins - Members of the Domain Admins group have full permissions to manage all of the AD objects for this domain.
Domain Controllers - All of the domain controllers for a given domain are generally included within the Domain Controllers group.
Domain Guests - Generally, members of the Domain Guests group are given minimal permissions with respect to resources. This is used for temporary access to the domain.
Domain Users - The Domain Users group usually contains all of the User accounts for the given domain. This group is generally given basic permissions to resources that do not require higher levels of security.
Enterprise Admins - Members of the Enterprise Admins group are given full permissions to perform actions within the entire domain forest. This includes functions such as managing trust relationships and adding new domains to trees and forests.
Group Policy Creator Owners - Members of the Group Policy Creator Owners group are able to create and modify Group Policy settings for objects within the domain.
Schema Admins - Members of the Schema Admins group are given permissions to modify the Active Directory schema.

The Enterprise and Schema Admins groups are stored in the Forest Root Domain (the first domain created in the forest). These groups are global groups in mixed mode, universal groups in native mode. The only default member of the Enterprise Admins group is the administrator from the forest root domain.

Permissions

Once you have users grouped, you will need to set the permissions that will apply to the users and groups. The permissions available will vary with different types of AD objects.

Control Access - Changes security permissions on the object.
Create Child - Creates objects within an OU (such as other OUs).
Delete Child - Deletes child objects within an OU.
Delete Tree - Deletes an OU and the objects within it.
List Contents - Views objects within an OU.
List Object - Views a list of the objects within an OU.
Read - Views properties of an object (such as a username).
Write - Modifies properties of an object.

Administrative Tools

Local Security Policy

     The Local Security Policy settings pertain to the local computer only. These settings are useful when you have specific computers that require custom security configurations (web server vs. database server).

Domain Security Policy

     The Domain Security Policy utility is used to view security settings that apply to all of the objects within a domain. This utility allows you to specify settings such as the audit policy, System Service settings, and other options. Unless specifically overridden, these settings will apply to all of the domain controllers within the domain.

Domain Controller Security Policy

     The Domain Controller Security Policy utility is similar to the Domain Security Policy utility. The difference is that the settings you make with this tool apply only to the local domain controller rather than to all domain controllers. This utility is useful when you want to specify different settings on different domain controllers.

Security Configuration and Analysis Tool

The Security Configuration and Analysis tool can be used to create, modify, and apply security settings in the Registry through the use of Security Template files. Security Templates allow systems administrators to define security settings once and then store this information in a file that can be applied to other computers. This tool is not listed in the Administrative Tools program group. You must open an MMC console and choose it from the list of snap-ins.

The process for working with the Security Configuration and Analysis tools is as follows:

Open or create a Security Database file.
Import an existing Template file.
Analyze the local computer.
Make any setting changes.
Save any template changes.
Export the new template (optional).
Apply the changes to the local computer (optional).

The Security Template files are stored by default in the \WINNT\Security\Templates\ directory.

The Security Templates and Security Configuration and Analysis Tools allow you to make permanent changes to the computer in the local registry. You will see similar settings in the Group Policy Tool under [Computer|User] Configuration/Windows Settings/Security Settings/. The difference is that the changes made by Group Policy are for the duration of the Computer and User connection in which it is applied. After logoff, the configuration is out of scope and the changes are dropped. Changes made by Security Templates are entered into the local computer's registry and are never lost.


Universal groups and Domain Local groups can contain members from
througout the forest. Other group types cannot.

Universal groups can be moved between domains while all of the other group
types must be re-created manually.

To enable auditing:

	1.   Enable auditing with the AD Users and Computers tool.

	2.1. Specify auditing options on OU w/AD Users and Computers tool.

	2.2. Enable failure and success auditing settings for specific file
	     stores on NTFS volumes.

	3.   View the audit log using the Event Viewer tool.


Group Policy can be linked to OUs, but not to AD Users, Computers, or Groups.
An OU is not a security principal, AD Users, Computers, and Groups are.