Chapter 4.4

Question 1

AGDLP

Answer 1

Microsoft’s rule, “Accounts go into Global groups, which go into Domain Local groups, which get Permissions” (AGDLP) applies. This system provides a framework for placing users into Global groups based on their roles, then those groups are assigned to domain local groups (which have local resource permissions). This model is scalable and secure.

Question 2

How does general account prohibition add a layer of safety to an Operating System (OS)?

Answer 2

Default administrator accounts should be disabled after being used to install the Operating System (OS). Systems administrators should have separate accounts for conducting administrative actions. This system helps protect against compromise of administrative accounts.

Question 3

workflow

Answer 3

A workflow is an onboarding process that involves identifying the roles and permissions users need. A workflow is often a visual representation of an organization, organized by permissions and account types.

Question 4

offboarding

Answer 4

Offboarding is the process by which accounts are deleted or disabled. When personnel no longer need access to specific resources, permissions are withdrawn.

Question 5

UAC

Answer 5

User Account Control (UAC) is a Windows-specific function that prevents users from invoking administrative privileges without specific authorization.

Question 6

Privilege Bracketing

Answer 6

is an account management practice that involves giving users permissions to a resource for the duration of a specific project or need to know situation.

Question 7

In Windows Active Directory, how do Organizational Units (OUs) help account managers designate permissions?

Answer 7

OUs divide a domain into different administrative realms, which allows the domain administrator or account manager to delegate responsibility within different parts of the organization.