S 3.27 Training to Active Directory administration

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, Head of IT

The Active Directory is the central database of the Windows Server 2000 and Windows 2003 Server operating systems (referred to collectively in the following as Windows Server), and the user data, group memberships, and other administrative data are stored in this database. Clients can be administrated in the Active Directory in Windows 2000 and higher versions.

Detailed knowledge of the Active Directory and its basic concepts are required for the administration of a Windows network. Otherwise, it is easy to specify faulty configurations that may have a serious impact on security. It is therefore essential to provide administrators with training in this area and especially on Active Directory security issues.

Training course content

Depending on the size and complexity of the network, the administration of an Active Directory will generally be performed by a whole group of administrators with special tasks and spheres of activity instead of by a single administrator. This means that not all administrators of an Active Directory will require the same kind of training. However, in order to guarantee secure operations, every administrator will need to have sufficient basic knowledge in order to place his/her own tasks within the overall context.

Training content should in every case cover and explain the key points set out below. The depth to which a given administrator will need to study the individual aspects depends on the type of work he/she will be performing.

Basic information

• Overview of the security mechanisms of Windows server
• New features of the security mechanisms of current Windows client operating systems (taking into consideration any changes made by new operating system versions or current service packs)
• Security administration (MMC, Security Editor, GPMC)
• Active Directory and DNS
• Trust relationships between domains
• Physical protection required by all domain controllers as bearers of Kerberos data

Active Directory

• General: planning, configuration, administration
• Scheme administration
• Replication
• Backup
• Assignment of rights
• Authentication
• Group policies

Public Key Infrastructure (PKI)

• Operation of a PKI
• Certificates and certificate types
• Planning of a PKI
• Setting up a PKI
• Administrating a PKI
• User interaction with the PKI

EFS (Encrypting File System)

• Method of operation of the EFS
• Configuration of the EFS (recovery agent, certificates)
• Key backup
• Protection of files stored in encrypted form during network communications

IPSec

• Method of operation of IPSec
• Configuration of IPSec
• Handling ipsecmon.exe or an IPSec monitor offered by a third party manufacturer

WFP (Windows File Protection)

• Method of operation of WFP
• Configuration options offered by WFP

DFS (Distributed File Service)

• Method of operation of the DFS
• Administration of the DFS
• Planning the DFS structure
• Protection of the data accessible via DFS

The individual topics related to an Active Directory are illustrated in detail in the following:

Scheme administration

It is not normally necessary for an administrator to change the Active Directory scheme for a specific installation. Training can therefore be limited to describing the problems and effects of scheme changes.

If individual changes will need to be made to the scheme, additional training on the internal details of the Active Directory is required.

Replication of the Active Directory

• Mechanisms used for replication of the Active Directory (RPC and SMTP)
• Default parameters for the replication of Active Directory content
• Problems relating to local administration of AD arising from replication conflicts

Backup

• Problems associated with creating backups of the Active Directory
• Restoring backups on a domain controller
• Safeguards to be implemented in case domain controllers assuming the FSMO role fail

Assigning rights in the Active Directory

• Assignment of access rights to AD objects at the attribute level
• Inheritance of access rights and blocking of inheritance
• Possible access rights
• Delegation of administrative tasks at the level of individual OUs

Authentication

• Kerberos
• PKI
• Smart cards

Group policies

• Local group policies and the group policies stored in the Active Directory
• Configuration capabilities using group policies
• When will group policies apply? How can they be configured accordingly?
• Group policy objects (GPOs) are objects in the Active Directory
• Group policy objects can be associated with sites / domains / OUs
• Order in which the group policies are processed
• Options for controlling the application of group policies
• • Granting of access rights to group policies
  • No Override property of binding a group policy object to an AD object
  • Block Policy Inheritance property of AD objects
• Options for selective application of the group policies in Windows XP:
• • Security filters
  • WMI filters

Review questions:

• Have all administrators received training on how to work with the Active Directory?
• Are the administrators familiar with all security mechanisms and aspects of Active Directory covered by their scope of activities?