Active Directory Objects Flashcards
DC have 4 main partiitions:
- domain directory - users, groups and network resources fo the domain
- configuration directory - forests, domain and domain trees
- Schema directory - relating to control on objects and attributes that exist in an AD. network resources stored on the AD are known as AD objects and consist of users, groups, computers, security policies, printers, contacts and other network devices.
- Application directory - part of DNS and stores AD integrated zones (not replicated by the global catalog)
user accounts
also known as security principals
3 user accounts are created by default on a new domain
Administrator
Guest
HelpAssistant
InetOrgPerson class
used in LDAP and x.500 directory services to represent users in an organization, users on any platform can obtain directory information from LDAP
cope identifies how the group is applied to domain or forest, there are three groups
domain local - just permissions applied to domain
global - any domain in a forest
universal - can include other groups and accounts from any domain tree or forest.
2 types of groups AD DS - distribution and security.
Distribution lists cannot be added to the DACLs (Discretionary Access Control Lists)
addtl groups can be added by Account Operators, DC Admins, E Admins
Each Computer Account has the following components
SAM (Security Accounts Manager)
DNS Suffix - DNS host name
SPN (Service Principal Name
DNS name is the full name of the computer:
bsalt.internal.mesacounty.us
UPN
User Principal Name
(login name and suffix
linz. th@
mesacounty. us is the UPN suffix
Can import and export into AD DS two ways
LDIFDE -utility allows you to do AD objects along with passwords - files are saved with a .ldf extension
CSVDE - AD objects but not passwords
Admin group to perform this function
AD LDS doesn’t require a DC or DNS server
can be used to sync with directory servers and data management
cmd.exe prompt syntax:
ldifde [-i][-f filename][-s servername][-z]
[-b username domain password][-h]
ldifde Syntax commands
- i = specifies an import function
- v = enables the verbose mode
- u = unicode format
- t = port specifies ldap port. default is 3889 and global default 3268
- j = path of file
- s = server to bind with
- f = filename
- k = ignore errors during the import (constant violation and object already exist errors)
- c = FromDN toDN replaces all occurrences of the DN above, this is used to replace the distinguished name of the export domain with that of the import domain when importing data from one domain to another.
csvde syntax
- f = filename
- j = save a log file during import -j”C:\folder”
- d = RootDN root of the ldap seach for data export
- r = filter creates and ldap search filter for exporting data
- p = Search Scope base, onelevel or subtree
- l = list of attributes (if not specified all attributes are returned)
- o = list attributes to be omitted
- m = omits attributes that apply only to AD Objects
- n = binary values should not be exported
- a = userdistiguishedname password during import user name and password
- b = Username domain password during import username, domain and password
Using OUs
can reduce the number of domains used
Process for creating one includes:
assigning the OU owner
creating account and resource OUs
designing its structure
assigning the OU owner
forest ownder assigns an OU owner in a domain. owners manage data and control a subtree of objects int eh AD DS. it governs functions, (how to delegate admin contorl, apply policies to objects within their OU. can create new subtrees and delegate admin control to them.
creating account and resource OUs
Account OUs include users, groups and all computer objects. REsource are created to provide autonomy to the mgmt of data and computer equipment. Best practice is to create two separate OU structures in the domain
Resource OUs do not contain any default child OUs
designing the OU structure
documenting the structure is important. list of names of the OUs, type, owners and origin.
add an OU using cmd.exe
dsadd
dsadd ou Organizational UnitDN
ie: dsadd ou “OU=Tellers, dc=EasyNOmadTravel, dc=com”
three configurations you can apply to a group
- Modifying group membership
- Changing the group type
- Changing the group scope
dsmod group GroupDN -addmbr MemberDN
use addmbr to add the member to the group from the cmd.exe dsmod command
dsmod group”CN=US INfo, OU=Mangers,DC=EasyNomadTravel,DC=com”
-addmber “CN=Jennifer Westlein, CN=Users,DC=EasyNomadTravel,DC=com” -secgrp no
use secgrp parameter for security group yes or no. Same as above - dsmod gorup GroupDN -secgrp [yes|no]
change scope parameter L, G or U
Domain local, global or universal
dsmod group GroupDN -scope L|G|U
IF you are on a global catalog server, you can only go from a universal to a local scope
group policies can (GPOs)
modify permissions on a file system modify permissions on a registry object change settings in the registry change assignment of user rights configure and audit event logs set account and password policies
applied on three levels
Domain level - specifies common user security requirements, such as account and password policies, which are applied on all the servers present on the domain -user acct and psswd
Baseline Level - specify server security req that are applied to all the servers in a domain structure - user accts account policy- applied to users and computers in a domain
Role specific Level - specify the security req for specific server roles.
gpo default config
password policy
account lockout policy
kerberos policy
password policies contain the following options
1 enforce a password history - 0 and 24 default
2 configure a max password age - 42 days default
3 configure a min password age - 1 day default
4 configure a min password length (7 default)
5 ensure that a password meets complexity req
6 store a password using reversible encryption _passwords can be easily retrieved which is a security consideration
5 kerberos policy settings
Enforce user logon restrictions
max lifetime for service ticket - 600 minutes by default
max lifetime for user ticket -TGT 10 hours by default
max lifetime for user ticket renewal - TGT 7 days default
max tolerance for computer clock synch -5 min default
AD DS in 2008 have two new object classes
Password settings object - PSO has attributes that are used to define all the password settings, except kerberos for the default doamin policy
Password settings container - PSC contains PSOs (password settings objects) for a domain and is an object class created by default under the system container in the domain. You cannot modify and existing PSC but you can create addtl custom PSCs
PSOs have 3 lockout policies:
reset acct lockout counterafter,
account lockout threshold,
account lockout duration
PSO links (2 attributes)
- msDS-PSOAppliesTo Attribute - contains forward link to users or group objects, multivalue attr enables you to apply PSO to multi users or groups. use to apply one password policy to different sets of users or groups.
2 msDS-PSOApplied attribute - backward link to the PSO. added to user and group objects in 2008 to enable them to have multi PSOs applied to them.
RSoP - Resultant Set of Policy
msDS-REsultantPSO of the PSOs applied to a user or group to determine the RSoP
PSO sets priority by using the msDS-PasswordSettingPrecedence
Has an default interger of value > zero
If it returns a lower value than what is set it will get a higher priority
Can determine the resultant PSO of a user or group by
directly - based on global membership - lowest value will take precedence
indirectly - pso is linked to groups of which the user is a member. no PSO is obtained by using the direct method. Default domain policy is applied to obtain a resultant PSO
each pso should be set with its own unique value at time of creation
multi PSOs with the same value are obtained, then the PSO with the smallest gloabally unique identifier (GUID) is applied to the user.
by default, account lockout policies are
set to 30 minutes for lockout threshold and the reset account lockout coutner - local and domain policies default the same
to configure and manage fine grained password policies in AD - two tools
AD Users and Computers Console
ADSI Edit Tool - Active Directory Services Interface Editor Tool - adsiedit.msc
choose CN=Password Settings Container is where all the PSO objects are stored for the domain
GPO you can
- maange the desktop that displays to users and reduce support calls and total cost of ownership (TCO) by locking the desktops
- Install and manage software
- Manage the running state of services
- redirect My Documents Folder
- Configure Internet Explorer options and security settings
- Automate administrative tasks by using logon, logoff, startup and shutdown scripts
each gpo has 2 admin templates
computer settings
user settings
Admin Templates identifies where registry based policy settings are stored in the registry.
DC known as the GPT (Group Policy Template) which is stored in a sysvol shared folder and enables config of group policy settings.
2 types of GPOs
apply according to security, needs, roles and location of users and computers
last applied GPO takes precedence if a conflict and same for user and computer setting conflicts, the computer wins
Local (LGPO) apply only to computers where they are located.usaully where there is no AD DS or used to apply specific group policy to a specific computer.
2008 server feature allows multiple LGPOs on the same computer - apply to different users on the same computer.
AD GPOs - all users and computers in the AD container where they are linked. Can apply the GPO to specific OUs or sties, all users, computers in a domain
GPOs are processed in this order
GPMC - Group policy Management Console
- LGPOs
- GPOs linked to the site
- Domain Level GPOs
- GPOs linked to OUs
Exceptions: they are only applied if the speed of data transfer is 500 kpbs or higher between a computer and DC. Broken link can keep a GPO from being applied. 2008 uses NIaSvc - Network Location Awareness Service to detect slow networks and looses its connection to the DC
Credential caching - user logs on locally instead of Domain - GPOs not applied
GPO default process order can be changed by
Changing Link order (give link 1 processed last)
Blocking inheritance
specifically enforcing particular policies - can cause security risks so test first
using GPO filtering (WMI tool allows you to filter)
disabling GPOs - can do it by site, comain or OU and can choose only user or computer settings
using loopback processing - ensures computer policies are applied regardless of user policies
GPCO members
do not have rights to link GPOs to containers
2008 registry policy settings are stored in a file
ADMX that are XML based. replaces ADM files used previous versions of server. Has to be a vista or higher client
can store files in a centrally located place if in a domain accessible to anyone with create or edit GPOs rights
need to manually add ADMS or ADML files to the SYSVOL folder if a change is made to the local machine
To GPOs you can add the following options
- disabling mobile storage devices (usb, mp3 players, camera’s)
- Controlling the functionality of specific windows features
- Adding or modifying registry keys
- Modifying the windows security
security template
doesn’t introduce new security but organizes it.
text based file with .inf extension
contains all public key policies and security attributes.
This be used with security configuration and analysis snap-ins to examine a system for security holes or policy violations.
Security Templates define:
- Account Policies
- Local Policies
- Event Log settings
- Restricted Groups
- System Services Settings
- File and Registry permissions
predefined templates are stored systemroot\security\templates directory
Windows 2008 doesn’t provide predefined security templates but you can download and install GPOAccelerator to obtain ones that were included in previous versions
Predefined Security templates include
- Default Secuirty (setup security.inf) - cannot be applied to DCs
- DC Default - DCsecurity.inf - Becomes a DC use the Security Configuration and Analysis snap-in or the Secedit command line tool.
- Compatible - compatws.inf - applies to Admin , power users and user
- Secure - secure*.inf - sends only NT lan Manager v2 responses and configures servers to refuse Lan manager responses
- Highly Secure - hisec.inf - secure data transmissions between server message block (SMB) clients and servers by imposing strict restrictions on the levels of encryption and authentication. superset of the secure.inf templates
cmd for secedit tool
secedit/configure /db filename[/cfg file name][/overwrite][/areasArea1 Area2…][/logfilename][/quiet]
use tool to apply security templates local computer, analyze, export, validate
/configure to local computer security by applying the settings stored in a database
ie:
secedit /configure /db database1.sdb cfg/ template1.inf /overwrite /quiet
/db = database name /cfg = specifies a template to be improted into db before computer is configured
/overwrite = clears db before import. if not in line them settings will accumulate in the db. if a conflict template settings take precedence.
/areas = security areas to be applied to the system. if not in the line, settins defined in the db will be applied to the system. to specify multiple areas use a space
/logfilename = if not specified in line, config data is automatically logged in the scesrv.log %windir%\security\logs
/quiet = process runs without prompt
4 phases to software development
preparation, deployment, maintenance, and removal. YOu can use group policy gpedit.exe to manage each phase