Planning%20a%20Microsoft%20Windows%202000%20Administrative%20Structure - PowerPoint PPT Presentation

About This Presentation
Title:

Planning%20a%20Microsoft%20Windows%202000%20Administrative%20Structure

Description:

Authorizing Remote Installation Services (RIS) and DHCP servers in Active Directory ... Restrict access to Terminal Services to administrative personnel only ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 35
Provided by: higheredM
Category:

less

Transcript and Presenter's Notes

Title: Planning%20a%20Microsoft%20Windows%202000%20Administrative%20Structure


1
Planning a Microsoft Windows 2000 Administrative
Structure
  • Designing default administrative group membership
  • Designing custom administrative groups local
    security authority (LSA) functionality
  • Designing secure administrative access
  • Designing secondary access
  • Designing Telnet administration
  • Designing Terminal Services administration

2
Planning Administrative Group Membership
  • Designing default administrative groups
  • Designing custom administrative groups

3
Default Administrative Groups
  • Domain Local Groups
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • DHCP Administrators
  • DNS Admins
  • WINS Admins
  • PreWindows 2000 Compatible Access
  • Replicators

4
Default Administrative Groups (Cont.)
  • Local Groups
  • Power Users
  • Backup Operators

5
Default Administrative Groups (Cont.)
  • Global Groups
  • Domain Admins
  • Group Policy Creators Owners
  • DNSUpdate Proxy

6
Default Administrative Groups (Cont.)
  • Universal Groups
  • Enterprise Admins
  • Schema Admins

7
Assessing Administrative Group Membership Design
  • Poor administrative group design negatively
    impacts network security.
  • Security is compromised if administrative group
    membership is not controlled.

8
Auditing Group Membership
  • Microsoft Windows 2000 auditing and periodic
    manual audits of group membership should be
    verified against documented membership.
  • The network determines which administrative
    groups are audited.
  • Audits are achieved by
  • Performing regularly scheduled manual inspections
  • Using third-party products

9
Using Restricted Groups to Maintain Group
Memberships
  • Use the Restricted Groups option within Group
    Policy to predefine memberships within groups.
  • If members are added or deleted, membership is
    re-established based on the Group Policy.
  • Apply the Restricted Groups option at the site,
    domain, or OU level.
  • The Restricted Groups option provides two forms
    of protection for a defined group
  • Protects membership in the group
  • Limits the groups that the restricted group can
    be a member of

10
Making the Decision Assessing Administrative
Group Design
  • Determine exactly who must be a member of each
    administrative group.
  • Do not grant membership to a group that provides
    excess privileges.
  • Use the Restricted Groups option to ensure that
    only approved membership is maintained.
  • Ensure that membership is audited for these
    groups.
  • Scrutinize membership in the forest root domain's
    Domain Admins group.

11
Applying the Decision Defining Administrative
Groups at Hanson Brothers
  • Administrative roles
  • Stephanie Conroy Performs backups and Group
    Policy management
  • Derek Graham Manages Domain Name System (DNS)
    and Dynamic Host Configuration Protocol (DHCP)
  • Steve Masters Manages all user accounts,
    excluding administrative accounts
  • Kim Hightower Restores network backups
  • Yvonne Schleger Manages schema design
  • Eric Miller Manages backup and restore, share
    management, and services

12
Designing Custom Administrative Groups
13
Determining When to Create Custom Groups
  • Determine exactly what rights are required by a
    specific account.
  • Use custom groups to delegate specific rights to
    an account, rather than provide the account with
    excess privileges.
  • The Enterprise Admins universal group has a large
    number of rights in the forest root domain.
  • Membership in the Enterprise Admins group is
    required to perform specific security tasks in a
    Windows 2000 forest.

14
Enterprise Admins Group Security Tasks
  • Creating new domains and new domain controllers
    (DCs) in the forest
  • Authorizing Remote Installation Services (RIS)
    and DHCP servers in Active Directory
  • Installing Enterprise Certification Authorities
  • Managing sites and subnets

15
Making the Decision Creating Custom
Administrative Groups
  • Determine that an existing administrative
    security group does not meet security
    requirements.
  • Determine what rights are required by the custom
    administrative groups.
  • Determine if the necessary administrative rights
    can be delegated.
  • Determine what objects are accessed by the
    permissions.
  • Create a domain local group that will be assigned
    the desired permissions and rights.

16
Applying the Decision Creating Custom
Administrative Groups at Hanson Brothers
17
Securing Administrative Access to the Network
  • Designing secure administrative access
  • Designing secondary access
  • Designing Telnet administration
  • Designing Terminal Services administration

18
Administrative Access Methods
  • Require smart card logon.
  • Restrict which workstation administrators can
    log on to.
  • Configure logon hours.
  • Enforce strong passwords.
  • Rename the default administrator account.

19
Requiring Smart Card Logon
20
Restricting Administrative Access
21
Making the Decision Securing Administrative
Access
  • Restrict administrative access to specific
    workstations.
  • Protect administrative passwords.
  • Protect the administrator account from being
    compromised.

22
Applying the Decision Securing Administrative
Access at Hanson Brothers
  • Rename the administrator account.
  • Create dedicated administrative accounts.
  • Protect administrative accounts.

23
Designing Secondary AccessUnderstanding the
RunAs Service
24
Making the Decision Implementing the RunAs
Service
  • The RunAS service does not provide facilities for
    smart card logon.
  • There are several ways to launch the RunAs
    service.
  • Use a standard prefix for administrative
    accounts.
  • Create a usage policy for administrative accounts
    on the network.

25
Applying the Decision Implementing the RunAs
Service at Hanson Brothers
  • Administrative tasks can be performed without
    logging on to the administrative account.
  • Define a policy that requires all administrative
    users to use the RunAs service to launch
    administrative tasks.
  • Ensure that no administrative users require smart
    card logon, because the RunAs service does not
    support smart cards.

26
Designing Telnet Administration
  • Windows 2000 includes the Telnet Service to
    perform remote administration from the command
    line.
  • Telnet Service can only be run with text-based
    utilities, such as scripts and batch files.
  • Use the RunAs command or Terminal Services to run
    utilities requiring GUI interfaces.
  • By default, Telnet uses clear text for
    transmitting authentication and screen data.
  • NTLM authentication can exclude UNIX clients from
    accessing the Telnet Service.
  • Use IPSec to encrypt all transmitted data.

27
Making the Decision Implementing Telnet Service
  • All management commands can be performed from a
    text-based utility.
  • Consider using NTLM authentication to protect the
    authentication credentials transmitted to Telnet
    Services.
  • Use IPSec to encrypt all data transmitted between
    the client and server.

28
Applying the Decision Implementing Telnet
Service at Hanson Brothers
  • Telnet can be used only for text-based utilities.
  • Telnet must not be configured to use NTLM for
    authentication because one administrator is using
    a UNIX SPARC workstation.
  • IPSec must be configured to encrypt all
    administrative Telnet sessions.

29
Designing Terminal Services Administration
30
Assessing Terminal Services Administration
Application Mode
  • Allows multiple connections by regular user
    accounts that have been granted Terminal Services
    access in Active Directory Users And Computers.
  • Additional security can be configured by applying
    the Notssid.inf security template.

31
Assessing Terminal Services Administration
Remote Administration Mode
  • Configure Terminal Services to run in Remote
    Administration mode.
  • Limits connections to two concurrent connections.
  • Only members of the Administrators group are
    allowed to connect to the terminal server.

32
Making the Decision Using Terminal Services
Administration
  • Use Terminal Services to
  • Limit which utilities can be run by a Terminal
    Services client
  • Restrict access to Terminal Services to
    administrative personnel only
  • Secure transmission of data between the Terminal
    Services client and the terminal server
  • Prevent excess rights to domain controllers
  • Determine Terminal Services access based on
    individual user permission.
  • Allow access to Terminal Services from the widest
    range of platforms.

33
Applying the Decision Implementing Terminal
Services at Hanson Brothers
  • Restrict Terminal Services to administrators by
    using Remote Administration mode.
  • Deploy Terminal Services Advanced Client to allow
    clients running other OSs, but using Microsoft
    Internet Explorer, to perform administrative
    tasks in the Windows 2000 domain.
  • Use Terminal Services Advanced Client for the
    administrator using a UNIX SPARC workstation.

34
Chapter Summary
  • Assessing administrative group membership
  • Designing custom administrative groups
  • Securing administrative access to the network
  • Designing secondary access
  • Designing Telnet administration
  • Designing Terminal Services administration
Write a Comment
User Comments (0)
About PowerShow.com