Practical Windows Security: Role and Function of an Active Directory - Term Paper Example

Practical Windows Security: Role and Function of an Active Directory within a Native Windows 2000 Network for a Security Perspective TABLE OF CONTENTS INTRODUCTION 3 TOOLS FOR WHICH ACTIVE DIRECTORY PROVIDES SECURITY 4 Delegation of Power 4 Group Policies 5 Software Rollout 6 ACCESS CONTROL LISTS 7 WINDOWS 2000 SINGLE LOG ON 9 WINDOWS 2000 SCHEMA 9 Security in the Schema 10 CONCLUSION 13 REFERENCE LIST 14 INTRODUCTION The Active Directory is a technology released by the Microsoft. It was first reviewed in 1999; however the technology was available in the market with the Windows Server 2000 edition. Later it was revised to meet requirements of the Windows Server 2003 and later 2008. When it was revised for Windows Server 2008 and Windows Server 2008 R2, its name was changed to Active Directory Domain Services. The Active Directory has a number of functions that are concerned with networking. When a Windows Server is installed onto a computer, the user has the option to opt for a particular server role for that computer. If the user wants to make a new forest, a new domain or an additional domain controller in an existing domain, the role of the domain controller can be configured by installing an Active Directory. By definition, the role of the domain controller is to store a specific domain directory partition compromising of information about the domain where it is present, as well as the schema and configuration directory partitions of the entire forest (Windows Server TechCenter, 2010). The Windows 2000 Native mode represents the highest level that was available in the Windows 2000 and contains more features of forests and domains than the Windows 2000 Mixed mode (Amini et al., 2006). When making an Active Directory forest, the number of domains should be kept to a minimum. The forest is the basis for the security boundary of the Active Directory, it is more manageable to limit the number of domains less in the forests (Allen & Hunter, 2006). TOOLS FOR WHICH ACTIVE DIRECTORY PROVIDES SECURITY Active Directory is a directory service. It is also a hierarchal data store that contains and stores information about the network the user is connected to and enables the administrators to manage and locate objects (Desmond et al., 2008). The term directory refers to two things. It not only acts as a repository for account information. It is also self-replicating application data store that is put into practice by the help of application partitions (Seguis, 2008). To establish security policies for Windows 2000, administrators need to analyze network traffic trends, create security profiles for eacf traffic pattern and build the relevant security policies (Brovick et al., 2001). The Active Directory provides security for three main tools in a network: delegation of power, group policies and software rollouts (McCarter, 2002). They have been discussed in detail as follows: Delegation of Power Windows 2000 gives the user the advantage of delegating powers and rights. This helps the Domain Administrators group from being separate from the everyday administrators. The responsibilities of the Domain administrators was granted either to specific parts of the network or to specific duties. Delegating powers to different parts of the network is the first step in delegating responsibilities in contrast to giving control over the entire network. The Active Directory can be divided into Organization Units, and the responsibility of managing the Organization Unit can be given to selected LAN administrators. The security design philosophy can be managed by various means. One way is to put the user base a level below the top of the domain. This allows the segmentation of security powers. Also, LAN administrators do not have any control over the domain controllers. The security of the Active Directory in the network can also be maintained by removing people from crucial built-in groups like the Domain administrators. This disallows random and unauthorized LAN administrators from accessing or controlling the Active Directory without proper certification. The security is further enhanced by using a 14-character difficult password that is only accessible by physically being present and by using a double-key safe that would store the password of the restricted access users of the network. Group Policies Group policies refer to the security and configuration templates that can be connected to different sites, domains or Organization Units containers. Group policies are important in controlling and regulating the Windows 2000 network. With group policies, users can audit logs and policies and run logon and logoff services; group policies also make it possible to implement an encrypted file system. Restrictive policies can be employed to such as limitation on using floppy drives. This would prevent the data from being taken off the network on diskettes. A password-protected screen saver that becomes activated after sixty seconds of inactivity is also a security measure that can be taken. In the hierarchy of the employees working, more stringent polices can be applied at lower levels of hierarchy. The importance of group policies and the role they play can be demonstrated by an example. If one has to change the registry key values for every client in the organization such that all clients can gain access to a video broadcast of the CEO for the entire organization, a group policy needs to be put up. This group policy has customized registry changes configured and are applied to every computer in the organization, When the system is rebooted, all the computers will have been subject to the registry changes, However, if another change needs to be made, it is not necessary than all the computers are rebooted. The options of the group policy can be changed such that the policy is reapplied every half an hour after the computer has been booted. Like this, every change would not necessitate the reboot of the computer (Lowe-Norris, 2000). Picture Available from: http://blogs.msdn.com/blogfiles/rds/WindowsLiveWriter/ConfiguringRemoteDesktopIPVirtualization_10AC4/clip_image002_thumb.jpg Software Rollout One of the features that the Active Directory provides is to rollout software through Group policies. Although softwares that are concerned with easier administration may be rolled out usually, security software can also be rolled out. This software can be managed through the Active Directory. Examples of such software include antivirus, inventory controls and encryption software. The art of rolling our software through the Active Directory requires skill and simplicity. Microsoft has offered a completely novel networking operating system when it revealed the Windows 2000 and the Active Directory. Such a system not only allows powers to be delegated to different parts of the network, but also allows for constructing a more manageable network where security is strong and incorporated in the administration process. The Active Directory plays an integral role in managing security in the Native Windows 2000. The domains can be constructed and organized in such a way that meets the security requirements of each network. By giving partial or full delegation of portions of the network and varying administration authority, the Active Directory allows greater security by limiting access to Administrator groups. ACCESS CONTROL LISTS Each object has its own Access Control List (ACL). Active Directory implements Access Control Lists on two levels. These levels include the resource or the object level and the object attribute level. This enables the administrator to have greater control over what information users can access. Active Directory makes use of industry-shunned authentication mechanisms like the Kerberos, SSL and smart cards (Suhanovs, 2008). The ACL model offers maximum security for managing objects throughout the forest. However, with this flexibility runs hand in hand with complexity. The object’s ACL is initially created from the default ACL for the object’s class, inherited permissions and permissions that are unswervingly applied on the object. An ACL is a compilation of Access Control Entries (ACE). The ACE compromises of two main elements: the identity given and the level of access. Therefore ACE defines the permissions and characteristics that can be used by the security principal on the object to which the ACL is implemented. Dictating these permissions and saturating the ACL is the foundation of Active Directory security and delegation (Hunter & Allen, 2008). One does not have to make separate user groups and accounts; the groupings in Active Directory Users and Computers can be used. Moreover, the security groups are mail-enabled (Mason et al., 2001). The default permission for any user to group policy is confined to Read and Apply Group Policy. The exception includes Domain administrators, Enterprise administrators and SYSTEM groups who are not given the Apply Group Policy right to stop themselves from being limited by the policy (Craft, 2001). Picture Available from: https://buildsecurityin.us-cert.gov/bsi/504-BSI/version/default/part/ImageData/data/Application_Firewalls-5.png WINDOWS 2000 SINGLE LOG ON The Windows 2000 single log on demonstrates how the Active Directory can play a role in secure logging in. There is a single account store in the Active Directory. Along with an Integrated Kerberos v5 logon, there is a protected store for public key credentials. Moreover there are industry standard protocols in effect that help to contribute to the security of the application. A smart card is inserted into the reader and is activated with a PIN. The private key on the card authenticates the user to the Key Distribution Center (KDC). Then the KDC returns the response from TGT and as protected by the User’s public key certificate. The account control option requires that a smart card is used for logon by the user (Brundrett, n.d.). The Windows 2000 domain controller regulates the interaction between the KDC and the Windows 2000 Active Directory. WINDOWS 2000 SCHEMA Windows 2000 Active Directory is a database that focuses on the objects; it compromises of individual examples of different object classes. The Schema is an outline for the active Directory. The schema consists of the definitions for the entire range of objects that can be stored in the Active Directory. The Schema defines what objects can be in the database as well as what attributes can be associated with them. The role of the Schema also extends to defining the rules that manage the structure and content of the directory. Without a definition for the object in the Schema, the object can not exist. Therefore the Schema acts as an absolute dictionary that defines what objects can exist. For an object to exist, a class needs to be present. The class is a blueprint for the object and not only makes it possible for the object to exist, but also assigns certain attributes to the object. Without the class, the Active Directory would not be able to make an object since the outline or the draft for it is not present. Moreover, the class provides the object with a particular location; without the class, the Active Directory can not locate and access the object. A class has a named collection of properties or qualities. These specified qualities include the first and the last name of the class, as well as the phone number. As a result, the object will have information for these fields; each object will have certain attributed like full name such as John, last name such as Drake etc. The data of the Active Directory is provided to all the domain controllers in a forest, there is no single domain controller that holds all the data of the Active Directory of the entire forest. However, all domain controllers are provided with a copy of the Schema. Therefore the Schema is very important to the Active Directory. Is the Schema is somehow rendered non-functional due to corruption, the results can be devastating. The Active Directory would have lost its dictionary and would not be able to locate and identify objects. Security in the Schema The Schema is very vital to the function of the Active Directory; so the Windows 2000 has many methods that serve as safety links. In order to alter the Schema, the safety links or interlocks must be able to fulfill all the requirements. Therefore, the administrator does not have to manage the Schema directly. There are four main security protocols that are observed in relation to the Schema: 1. Schema Administrator Permissions There is a Schema Administrators group that is made at the time of the installation of the Active Directory. It is a built-in group and gives permissions to its members to change the Schema. The administrator account becomes a member of the group automatically. However, this membership is not sufficient to make changes into the Schema. This level of protection is essential in securing the domain being by unauthorized people. Also, a security measure that can be implemented in to ensure that the only a handful of people have access to modifications to the Schema. This also reduces the risk of unauthorized individuals from hacking in and corrupting the Schema; thus, rendering the Active Directory useless. 2. Scheme Floating Single-Master Options The Active Directory makes use of a multi-master replication system; in contra to that, the Schema makes use of a single-master system. This gives only one domain controller the authority to change the Schema at a specific time. The domain controller that is designated as the Schema Master Role is the only one who has the authority to carry out “Write” operations in the schema of the Active Directory. By default, the position of the Schema Master Role is given to the first domain controller in the initial domain. However it can be changed and given to another domain controller. When the domain controller who has the authority to perform “Write” operations makes a change, the change is made to all other domain controller in the forest. There is one Schema Master Role in a forest. Also, despite the range of domains that are present in the forest, there is only one Schema. 3. Read-Only Schema Access All the domain controllers have a read-only access to the Schema. This access in granted to them by default when the Active Directory is being installed. However, if the domain controller wants to write the Schema, he has to issue a particular command that makes a new DWORD registry entry known as the “Schema Update Allowed”. A value of 1 will allow the domain controllers to access the Schema and write in it. However a value of 0 will disallow the domain controller to make write-access to the Schema. The authority for allowing or disallowing write-access to the Schema should principally rest with the Schema Master Role. Another security measure that needs to be observed is to make the access to Schema to read-only access after changes have been made to the Schema; not doing so will leave the Schema susceptible. 4. Consistency Checks If changes have been made to the Schema, it is subjected to a number of consistency checks. These consistency checks are not directly concerned with the security of the Schema, they help maintain the stability of the Schema by checking on a number of parameters that regulate class and the attributes associated with it. There are seven consistency checks that are carried out when a new class is defined in the Schema whereas six different consistency checks are carried out on new attribute definitions (Rice, 2001). CONCLUSION The Active Directory is a Lightweight Directory Access Protocol (LDAP)-based directory service. It is designed to represent all the objects that are associated with corporate technology infrastructure in a logical way (Scambray & McClure, 2007). Todd and Johnson (2001) observe that with Windows 2000, security is integrated into the Active Directory. The integration is integrated by storing security-relating information by using the Active Directory and by regulating access to the Active Directory through the operating system (Balladelli & Clercq, 2001). The Windows 2000 is a multi-master and so changes are made at any given domain controller (DC) in the enterprise in spite of whether the DC is connected to the network or not (Microsoft Support, 2007). The Active Directory provides security to the Windows 2000 through delegation of powers, software rollouts, group policies, ACLs and through the Schema. REFERENCE LIST Allen, R. & Hunter, L. E., 2006. Active directory cookbook. 2nd ed. OReilly Media, Inc. Amini, R., Peiris, C. & Khnaser, E. N., 2006. How to Cheat at Designing Security for a Windows Server 2003 Network. Massachusetts (MA): Syngress. Balladelli, M. & Clercq, J. D., 2001. Mission-Critical Active Directory: Architecting a Secure and Scalable Infrastructure. Massachusetts (MA): Digital Press. Brovick, E., Hauger, D. & Wade, W. C., 2001. Windows 2000 Active Directory. Sams Publishing. Brundrett, P., n.d. Windows 2000 Security Architecture. [Online] Available from: http://www.isoc.org/isoc/conferences/ndss/2000/proceedings/slides/10.ppt [Accessed 30 July 2010]. Craft, M., 2001. Windows 2000 active directory. 2nd ed. Massachusetts (MA): Syngress. Desmond, B., Richards, J., Allen, R. & Lowe-Norris, A. G., 2008. Active Directory. 4th ed. OReilly Media, Inc. Hunter, L. E. & Allen, R., 2008. Active Directory Cookbook. 3rd ed. OReilly Media, Inc. Lowe-Norris, A. G., 2000. Windows 2000 Active Directory. [Online] Available from: http://oreilly.com/catalog/win2000ads/chapter/ch08.html [Accessed 30 July 2010]. Mason, L., Lefkovitz, W. & Wade, W., 2001. Configuring Exchange 2000 Server. Massachusetts (MA): Syngress. McCarter, L., 2002. Addressing Network Security through Windows 2000 Active Directory: Designing a Single Domain Structure. [Online] Available from: http://www.sans.org/reading_room/whitepapers/win2k/addressing-network-security-windows-2000-active-directory-designing-single-domain-struct_216 [Accessed 17 July 2010]. Microsoft Support, 2007. Windows 2000 Active Directory FSMO roles. [Online] (Updated 23 February 2007) Available from: http://support.microsoft.com/kb/197132 [Accessed 17 July 2010]. Rice, D., 2001. Guide to Securing Microsoft Windows 2000 Schema. [Online] (Updated 6 March 2001) Available from: http://www.nsa.gov/ia/_files/os/win2k/w2k_schema.pdf [Accessed 17 July 2010]. Scambray, J. & McClure, S., 2007. Hacking exposed Windows: Windows security secrets & solutions. 3rd ed. McGraw-Hill Professional. Seguis, S., 2008. Microsoft Windows Server 2008 Administration. McGraw-Hill Professional. Suhanovs, D., 2008. Mcts configuring windows server 2008 active directory study guide. McGraw Hill Professional. Todd, C. & Johnson, N. L., 2001. Hack proofing Windows 2000. Syngress. Windows Server TechCenter, 2010. Domain Controller Roles. [Online] (Updated 3 June 2010) Available from: http://technet.microsoft.com/en-us/library/cc786438%28WS.10%29.aspx [Accessed 17 July 2010]. Read More