S 2.230 Planning of Active Directory administration

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Head of IT, Administrator

The Active Directory consists of various objects which are organised in a tree-like structure. Each object has certain attributes that store the object information. A Windows system Version 2000 or higher is administered using objects, and administration must be performed by an authorised administrator. Authorisations can be assigned to all Active Directory objects that control the access to the objects. This means that it is possible to specify which objects can be changed by which users and in which manner, for example for creating users or resetting user passwords.

In a standard installation of the Windows Server 2000 and Windows 2003 Server operating systems (these two server operating systems are collectively referred to as Windows Server in the following), administrators only have the right to make changes to objects, and therefore to administer a domain. Users are generally only granted read privileges at the most.

In general, it is also true in Windows Server that the administrative powers of the administrators of a domain end at the boundary of the domain. Only the members of the Enterprise Admins group have full access to all AD objects in every domain of a forest, and this access is allowed regardless of the access rights specified for these objects. The Enterprise Admins are members of the group of administrators of the forest root domain (FRD) by default.

In large domains, it is recommended to delegate the administrative tasks so that the administrative work can be divided between several administrators. Under certain circumstances, it may be advisable to implement the separation of roles as well. Administrative tasks are delegated in the Active Directory by assigning corresponding access rights to Active Directory objects for the corresponding groups of administrators. In this case, the Active Directory rights structure allows highly detailed assignments of rights. It is possible in this manner to allow an administrator to create user accounts and reset user passwords, but not to delete user accounts or move them to other organisational units (OUs). To simplify the process of assigning similar rights throughout an entire subtree, it is also possible for the objects in a subtree to inherit the rights of the object at the top of the subtree. Since it may not be desired under some circumstances to pass inherited rights on to certain objects in the subtree, the inheritance mechanism can also be blocked for certain objects, which means it is entirely possible for complex authorisation distribution scenarios to be created in this manner (see also S 3.27 Training to Active Directory administration).

From a security perspective, it is necessary to take the following aspects into account when planning the Active Directory administration:

• If delegation is used, then administrators should only be granted the absolute minimum rights necessary to perform the administrative tasks delegated to them.

• The delegation model and the rights assignments resulting from the model must be documented.
• The administrative tasks should be delegated so that there is no overlapping. If tasks do overlap, then it is possible for two administrators to make contradictory changes. This would then lead to replication conflicts, in which case Windows Server automatically resolves the conflict by implementing only one of the changes. However, it does not issue any warnings in this case. It is therefore recommended to design the administration model so that there is no overlapping of responsibilities, if this is possible. This helps to reduce the risk of replication conflicts. If replication conflicts are expected or have already occurred, then the values should be examined manually at regular intervals and always after making important changes to ensure the right values are in effect. Whether or not it makes sense under certain circumstances from an organisational perspective to introduce an evidence database containing the Active Directory target data must be decided on a case-by-case basis.

• When the administration of the Active Directory is delegated, delegation is achieved by assigning the corresponding access rights within the Active Directory. The inheritance mechanism is generally used in this case to administer the authorisations to objects in subtrees. However, complex delegation scenarios, and therefore complex rights inheritance schemes, should be avoided at all costs, because otherwise it is easy to open up security gaps. A security gap can be created if a user does not have enough rights or if a user has too many rights, for example.

• A concept for membership in the various administrative groups must be developed. In particular, the concept should define all conditions and procedures specifying if, when, and for how long a user or a user group will be a member of an administrative group. It is especially necessary in this case to ensure that membership in the Enterprise Admins group is granted restrictively and monitored. If the organisational procedure allows it, then consideration can be given to removing all members from this group after establishing the domain structure and only adding members to it when needed and in conjunction with the application of the two-person rule. However, it must be taken into account that a member of the Enterprise Admins group is always needed when it is necessary to create a new domain in the forest.

• The administrators must be informed of and correspondingly trained in the Active Directory structure and the organisational procedures they need to follow in the framework of performing their administrative tasks. This must be done to prevent non-conforming changes from resulting in security gaps. For example, it may be necessary when creating a new user to add the new user to the corresponding security groups or even create a new security group with a special name. If this is overlooked, some users may have the wrong authorisations under some circumstances.

• If the domain is large, consideration should be given to providing administrative support using suitable tools. There are various commercial tools as well as free tools that make Active Directory administration easier. Consideration should be given to using such tools. If such tools are used, then it must be ensured that the Active Directory is only administered using these tools.

Review questions:

• In large domains: Are the administrative tasks distributed in the Active Directory according to a delegation model so that there is no overlapping?
• Are all administrative task areas and authorisations documented?