Você está na página 1de 31

Security Planning and

Administrative Delegation
Lesson 6

Skills Matrix
Technology Skill

Objective Domain

Objective #

Creating an OU Structure

Maintain Active Directory



Naming Standard
User logon names will typically follow a
corporate naming standard set forth during
the planning stages of an Active Directory
You will usually create a naming standards
document to outline the rules for naming all
Active Directory objects.
This document will specify conventions
such as the number and type of characters
to use when creating a new object in Active

Strong Passwords
Since user names are often easily
guessed, it is essential to have strong
At least eight characters in length.
Contains uppercase and lowercase letters,
numbers, and non-alphabetic characters.
At least one character from each of the
previous character types.
Differs significantly from other previously
used passwords.

Strong Passwords
A strong password should not be left blank or
contain any of the following information:
Your user name, real name, or company
A complete dictionary word.
Windows passwords for Windows Server
2008, Windows Vista, Windows Server 2003
and Microsoft Windows XP clients can be up
to 127 characters in length.

Strong Passwords

If you use group policies to enforce

strong passwords:
Must be at least seven characters.
Must contain three of the four types
(uppercase and lowercase letters,
numbers, and non-alphabetic
Cannot contain your user name or real

Authentication is the process of proving
who you are.
There are multiple methods of
What you know (password or PIN).
Who you are (retinal scan or thumb print).
What you have (smart card).

Some of these methods can be used so

that users no longer need to remember

Smart Card
Smart cards are cards about the size of a
credit card.
Login information can be stored on the
smart card, making it difficult for anyone
except the intended user to use or access
Security operations, such as cryptographic
functions, are performed on the smart card
itself rather than on the network server or
local computer. This provides a higher
level of security for sensitive transactions.

Implementing Smart Cards for Authentication

Smart cards can be used from remote
locations, such as a home office, to
provide authentication services.
The risk of remote attacks using a
username and password is significantly
reduced by smart cards.

Implementing Smart Cards for Authentication

Requires Active
Smart cards for
must be enabled in
the user account

Using Run As from the GUI

From the Start button, navigate to the
application you wish to run.
Press and hold the Shift key and right-click
the desired application.
Select the Run as administrator option.

Administrative Accounts
You should not use an account possessing
administrative privileges for daily tasks, such as
browsing the Web or monitoring email.
Administrative accounts should be reserved for tasks
that require administrator privileges.
Using the Administrator account or an account that is
a member of Domain Admins, Enterprise Admins, or
Schema Admins for daily tasks offers an opportunity
for hackers to attack your network and potentially
cause severe and irreversible damage.
Limiting the use of the Administrator account for daily
tasks, such as email, application use, and access to
the Internet, reduces the potential for this type of

Run as Administrator and Runas Command

The recommended solution for reducing the
risks associated with the Administrator account
is to use a standard user account and the Run
as administrator option in the GUI or the runas
command-line tool when it is necessary to
perform an administrative task.
The Run as administrator or runas option allows
you to maintain your primary logon as a standard
user and creates a secondary session for access
to an administrative tool.
During the use of a program or tool opened using
Run as administrator or runas, your
administrative credentials are valid only until you
close that program or tool.

Run as Administrator and Runas Command

Run as administrator and runas require
the Secondary Logon service to be
The runas command-line tool is not limited
to administrator accounts. You can use
runas to log on with separate credentials
from any account. This can be a valuable
tool in testing resource access

Using Run As from the GUI

If you are using User Account Control, you may
be prompted for administrative credentials when
performing system tasks
You can access the Run as Administrator option
if you by find the program you want to start from
the Start button, and press and hold the Shift
key, right-click the desired application, and
select the Run as administrator option.
You can also use the runas command, such as:
runas /user:lucernepublishing.com\domainadmin
mmc %windir%\system32\dnsmgmt.msc

Organizational Units
Can be created to represent your
companys functional or geographical
Can be used to delegate administrative
control over a containers resources to
lower-level or branch office administrators.
Can be used to apply consistent
configuration to client computers, users
and member servers.

Creating an Organizational Unit

To create an organizational unit, you
would use the Active Directory Users and
Computers console.

Delegation of Control
Creating OUs to support a decentralized
administration model gives you the ability
to allow others to manage portions of your
Active Directory structure, without affecting
the rest of the structure.
Delegating authority at a site level affects
all domains and users within the site.
Delegating authority at a domain level
affects the entire domain.
Delegating authority at the OU level affects
only that OU and its hierarchy.

Delegation of Control
Using the Delegation of Control Wizard,
you utilize a simple interface to delegate
permissions for domains, OUs, or
The interface allows you to specify to
which users or groups you want to
delegate management permissions and the
specific tasks you wish them to be able to
You can delegate predefined tasks, or you
can create custom tasks that allow you to

Delegating Administrative Control of an OU

Open Active Directory Users and
Right-click the object to which you wish to
delegate control, and click Delegate
Click Next on the Welcome to the
Delegation of Control Wizard page.

Delegating Administrative Control of an OU

Delegating Administrative Control of an OU

Delegating Administrative Control of an OU

Verifying and Removing AD Permissions

Must Enable Advanced Features in Active
Directory Users and Computers.
Found in the View menu.

Then right-click an OU or an account and

select Properties.
Select the Security tab.

Verifying and Removing AD Permissions

Moving Objects within Active Directory

Windows Server 2008 allows you to restructure
your Active Directory database by moving leaf
objects such as users, computers, and printers
between OUs, in addition to moving OUs into
other OUs to create a nested structure.
When you move objects between OUs in a
domain, permissions that are assigned directly
to objects remain the same.
Objects inherit permissions from the new OU.
All permissions that were inherited previously
from the old OU no longer affect the objects.

Moving Objects within Active Directory

Windows Server 2008 provides two
methods for moving objects between OUs
in the same domain:
Drag-and-drop within Active Directory
Users and Computers.
If you wish to move multiple objects, press
and hold the Ctrl key while selecting the
objects you wish to move.

Use the Move menu option within Active

Directory Users and Computers.
You can also use the dsmove command.

Creating a naming standards document
will assist in planning a consistent Active
Directory environment that is easier to
Securing user accounts includes
educating users to the risks of attacks,
implementing a strong password policy,
and possibly introducing a smart card
infrastructure into your environment.

As part of creating a secure environment, you
should create standard user accounts for
administrators and direct them to use Run as
administrator or runas when performing
administrative tasks.
When planning your OU structure, consider the
business function, organizational structure, and
administrative goals for your network.
Delegation of administrative tasks should be a
consideration in your plan.

Administrative tasks can be delegated for
a domain, OU, or container to achieve a
decentralized management structure.
Permissions can be delegated using the
Delegation of Control Wizard.
Verification or removal of these
permissions must be achieved through the
Security tab in the Properties dialog box of
the affected container.

Moving objects between containers and
OUs within a domain can be achieved by
using the Move menu command, the dragand-drop feature in Active Directory Users
and Computers, or the dsmove utility from
a command line.