Documente Academic
Documente Profesional
Documente Cultură
Module9:SecuringAdministration
Contents: Lesson1: LabA: Lesson2: LabB: DelegateAdministrativePermissions DelegateAdministration AuditActiveDirectoryAdministration AuditActiveDirectoryChanges
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
1/67
07/06/13
Objectives
Aftercompletingthismodule,youwillbeableto: Delegateadministrativepermissions.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 2/67
07/06/13
AuditActiveDirectoryadministration.
07/06/13
Objectives
Aftercompletingthislesson,youwillbeableto: Describethebusinesspurposeofdelegation. AssignpermissionstoActiveDirectoryobjectsusingthesecurityeditoruser interfacesandtheDelegationofControlWizard. ViewandreportpermissionsonActiveDirectoryobjectsbyusinguserinterfaceand commandlinetools. Resetthepermissionsonanobjecttoitsdefault. DescribetherelationshipbetweendelegationandOUdesign.
Understand Delegation
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
4/67
07/06/13
07/06/13
useraccounts,butnottoaccountsusedforadministrationorserviceaccounts. Therefore,thedelegationissaidtobescopedtostandarduseraccounts. AllActiveDirectoryobjects,suchastheusers,computers,andgroupsyoucreatedin thepreviousmodule,canbesecuredbyusingalistofpermissions.Therefore,you cangiveyourhelpdeskpermissiontoresetpasswordsonuserobjects.The permissionsonanobjectarecalledaccesscontrolentries(ACEs),andtheyare assignedtousers,groups,orcomputers,whicharealsoknownassecurityprincipals. ACEsaresavedintheobjectsdiscretionaryaccesscontrollist(DACL).TheDACLisa partoftheobjectsACL,whichalsocontainsthesystemaccesscontrollist(SACL) thatincludesauditingsettings. Thedelegationofadministrativecontrolinvolvesassigningpermissionsthatmanage accesstoobjectsandpropertiesinActiveDirectory.Justasyoucangiveagroupthe abilitytochangefilesinafolder,youcangivethegrouptheabilitytoreset passwordsonuserobjects.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
6/67
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
7/67
07/06/13
NoteIfAdvancedFeaturesisdisabled,youwillnotseetheSecuritytab inanobjectsPropertiesdialogbox.
5.
ClickAdvanced.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
8/67
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
9/67
07/06/13
Property Permissions, Property Sets, Control Access Rights, and Object Permissions
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
10/67
07/06/13
TheDACLofanobjectallowsyoutoassignpermissionstospecificpropertiesofan object.Forexample,youcanallow(ordeny)permissiontochangephoneandemail options.Thisis,infact,notjustonepropertyitisapropertysetthatincludes multiplespecificproperties.Usingpropertysets,youcaneasilymanagepermissions tocommonlyusedcollectionsofproperties.But,youcouldassignmoregranular permissionsandallowordenypermissiontochangejustthemobiletelephone numberorthestreetaddress. Permissionscanalsobeassignedtocontrolaccessrights,suchaschangingor resettingapassword.Thedifferencebetweenthosetwocontrolaccessrightsis important.Ifyouhavetherighttochangeapassword,youmustknowandenterthe currentpasswordbeforemakingthechange.Ifyouhavetherighttoreseta
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 11/67
07/06/13
Demonstration: Assign a Permission by Using the Advanced Security Settings Dialog Box
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
12/67
07/06/13
Demonstration Steps
EnableAdvancedViewintheActiveDirectoryUsersandComputersconsole. OpenAdvancedSecurityPropertiesoftheuseraccountobject.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
13/67
07/06/13
Delegatepermissiontoresetthepassword.
07/06/13
thatadministrativetask. ChildobjectsinheritthepermissionsoftheparentcontainerorOU.Thatcontaineror OUinturninheritsitspermissionsfromitsparentcontainerOU.Ifitisafirstlevel containerorOU,itinheritsthepermissionsfromthedomainitself.Thereasonchild objectsinheritpermissionsfromtheirparentsisthat,bydefault,eachnewobjectis createdwiththeIncludeinheritablepermissionsfromthisobjectsparentoption enabled. However,notethatastheoptionindicates,onlyinheritablepermissionswillbe inheritedbythechildobject.Notallpermissionsareinheritable.Forexample,the permissiontoresetpasswords,whenassignedtoanOU,wouldnotbeinheritedby groupobjectsbecausegroupobjectsdonothaveapasswordattribute.So, inheritancecanbescopedtospecificobjectclasses:passwordsareapplicabletouser objects,notgroups.Additionally,youcanusetheApplyToboxofthePermission Entrydialogboxtoscopetheinheritanceofapermission.Theconversationcanstart togetverycomplicated.Whatyoushouldknowisthat,bydefault,newobjects inheritinheritablepermissionsfromtheirparentobjectusually,anOUoracontainer. Whatifthepermissionthatisbeinginheritedisnotappropriate?Youcandothe followingthreethingstomodifythepermissionsthatachildobjectisinheriting: First,youcandisableinheritancebydeselectingtheIncludeInheritablePermissions FromThisObjectsParentoptionintheAdvancedSecuritySettingsdialogbox.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 15/67
07/06/13
Whenyoudo,theobjectwillnolongerinheritanypermissionsfromitsparentall permissionswillbeexplicitlydefinedforthechildobject.Thisisgenerallynota goodpractice,becauseitcreatesanexceptiontotherulethatiscreatedby permissionsofparentcontainers. Thesecondoptionistoallowinheritance,buttooverridetheinheritedpermission withapermissionassignedspecificallytothechildobjectanexplicitpermission. Explicitpermissionsalwaysoverridepermissionsthatareinheritedfromparent objects.Thishasanimportantimplication:anexplicitpermissionthatallowsaccess willactuallyoverrideaninheritedpermissionthatdeniesthesameaccess.Therule (Deny)isbeingdefinedbyaparent,butthechildobjecthasbeenconfiguredtobe anexception(Allow). Finally,youcanchangethescopeofinheritanceontheparentpermissionitselfby changingtheoptionintheApplyTodropdownlistinthePermissionEntry dialogbox.Inmostcases,thisisthebestpractice.Whatyouaredoing,ineffect,is definingthesecuritypolicyintheformoftheACLmoreaccuratelyatitssource, ratherthantryingtooverrideitfurtherdownthetree.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
16/67
07/06/13
Demonstration Steps
RunDelegationofControlWizardonanOU.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 17/67
07/06/13
Delegatepermissionstoresetthepasswordandforceapasswordchangeonthe OUlevel.
07/06/13
d s a c l s . e x e" o u = U s e rA c c o u n t s , d c = c o n t o s o , d c = c o m "
DSACLscanalsobeusedtosetpermissionstodelegate.Typedsacls.exe/?forhelp regardingthesyntaxandutilizationofDSACLs.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
19/67
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
20/67
07/06/13
d s a c l s" o u = U s e rA c c o u n t s , d c = c o n t o s o , d c = c o m "/ s/ t
Effectivepermissionsaretheresultingpermissionsforasecurityprincipal,suchasa
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 21/67
07/06/13
userorgroup,basedonthecumulativeeffectofeachinheritedandexplicitACE.Your abilitytoresetauserspassword,forexample,maybeduetoyourmembershipina groupthatisallowedtheResetPasswordpermissiononanOUseverallevelsabove theuserobject.Theinheritedpermissionassignedtoagrouptowhichyoubelong resultsinaneffectivepermissionofAllow:ResetPassword.Youreffectivepermissions canbecomplicatedwhenyouconsiderAllowandDenypermissions,explicitand inheritedACEs,andthefactthatyoumaybelongtomultiplegroups,eachofwhich maybeassigneddifferentpermissions. Tocalculateeffectivepermissionsforaspecificuseroragroup,anActiveDirectory object,orforafileorfolder,youcanfollowthefollowingsimpleprocedure: 9. Rightclicktheobject,fileorfolder,clickProperties,andthenclickthe Securitytab. 10. ClickAdvanced,clicktheEffectivePermissionstab,andthenclickSelect. 11. InEntertheobjectnametoselect,enterthenameofauserorgroup,and thenclickOK.Theselectedcheckboxesindicatetheeffectivepermissionsofthe userorgroupforthatfileorfolder.
07/06/13
ACEstoindividualusersorcomputers.Apermissionthathasbeenassigneddirectly toyou,theuser,isneithermoreimportantnorlessimportantthanapermission assignedtoagrouptowhichyoubelong. Allowpermissions,whichallowaccess,arecumulative.Whenyoubelongtoseveral groups,andthosegroupshavebeengrantedpermissionsthatallowavarietyof tasks,youwillbeabletoperformallofthetasksassignedtoallofthosegroups,as wellastasksassigneddirectlytoyouruseraccount. Denypermissions,whichdenyaccess(),overrideequivalentAllowpermissions.Ifyou areinonegroupthathasbeenallowedthepermissiontoresetpasswords,and anothergroupthathasbeendeniedpermissiontoresetpasswords,theDeny permissionpreventsyoufromresettingpasswords. NoteItisunnecessarytoassignDenypermissions.Ifyoudonotassignan Allowpermission,userscannotperformthetask.BeforeassigningaDeny permission,checktoseeifyoucouldachieveyourgoalbyremovinganAllow permissioninstead.UseDenypermissionsrarely.Forexample,ifyouwantto delegateanAllowpermissiontoagroup,butexemptonlyonememberfrom thatgroup,youcanuseaDenypermissiononthatspecificuseraccountwhile thegroupwillstillhaveAllowpermission.
Eachpermissionisgranular.Evenifyouhavebeendeniedtheabilitytoreset passwords,youmaystillhavetheability,throughotherAllowpermissions,tochange
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 23/67
07/06/13
theuserslogonnameoremailaddress. Inthislesson,youlearnedthatchildobjectsinherittheinheritablepermissionsof parentobjectsbydefault,andthatexplicitpermissionscanoverrideinheritable permissions.ThismeansthatanexplicitAllowpermissionwillactuallyoverridean inheritedDenypermission. Unfortunately,thecomplexinteractionofuser,group,explicit,inherited,Allow,and Denypermissionscanmakeevaluatingeffectivepermissionstedious.Youcanusethe permissionsreportedbytheDSACLscommandoronthePermissionstabofthe AdvancedSecuritySettingsdialogboxtobeginevaluatingeffectivepermissions, butitwillbeamanualtask.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
24/67
07/06/13
OUsare,asyounowknow,administrativecontainers.Theycontainobjectsthatshare similarrequirementsforadministration,configuration,andvisibility.Younow understandthefirstofthoserequirements:administration.Objectsthatadministrators administershouldbecontainedwithinasingleOU.Byplacingyourusersinasingle OUperhapscalledUserAccounts,youcoulddelegatethehelpdeskpermissionto changealluserspasswordsbyassigningonepermissiontooneOU.Anyother permissionsthataffectwhatanadministratorcandotoauserobjectwouldbe assignedintheUserAccountsOU.Forexample,youmightallowyourHuman Resourcesmanagerstodisableuseraccountsintheeventofanemployees termination.Youwoulddelegatethatpermission,again,totheUserAccountsOU. Rememberthatadministratorsshouldbeloggingontotheirsystemswithuser
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 25/67
07/06/13
credentialsandlaunchingadministrativetoolswiththecredentialsofasecondary accountthathasappropriatepermissionstoperformadministrativetasks.Secondary accountsaretheadministrativeaccountsoftheenterprise.Itisnotappropriatefor thefrontlinehelpdesktobeabletoresetpasswordsonsuchprivilegedaccounts, andyouprobablywouldnotwantHumanResourcesmanagerstodisable administrativeaccounts.Therefore,administrativeaccountsshouldbeadministered differentlythannormaluseraccounts.ThatswhyyouwouldhaveaseparateOU, suchasAdmins,foradministrativeuserobjects,whichwouldbedelegatedquite differentlythantheUserAccountsOU. Similarly,youmightdelegatetothedesktopsupportteamtheabilitytoaddcomputer objectstoanOUcalledClientComputers,whichcontainsyourdesktopsandlaptops, butnottotheServersOU,whereonlytheServerAdministrationgrouphas permissionstocreateandmanagecomputerobjects. TheprimaryroleofOUsistoscopedelegationtoapplypermissionstoobjectsand subOUs.WhenyoudesignanActiveDirectoryenvironment,youalwaysbeginby designinganOUstructurethatmakesdelegationefficientastructurethatreflects theadministrativemodelofyourorganization.Rarelydoesobjectadministrationin ActiveDirectorylooklikeyourorganizationalchart.Typically,allnormaluseraccounts aresupportedthesameway,bythesameteamso,userobjectsareoftenfoundina singleOUorasingleOUbranch.Quiteoften,anorganizationthathasacentralized helpdeskfunctiontosupportuserswillalsohaveacentralizeddesktopsupport function.Inthiscase,allclientcomputerobjectswouldbewithinasingleOUora
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 26/67
07/06/13
singleOUbranch.But,ifdesktopsupportisdecentralized,itwouldbelikelytheClient ComputersOUaredividedintosubOUs,representinggeographiclocations.Each locationwouldbedelegatedtoallowthelocalsupportteamtoaddcomputerobjects tothedomaininthatlocation. DesignOUsfirsttoenabletheefficientdelegationofobjectsinthedirectory.After youhaveachievedthatdesign,youcanrefinethedesigntofacilitatethe configurationofcomputersandusersthroughGroupPolicy. Also,youcanconsiderplacingaccesspermissionsgroupswithinseparateOUs.Asa bestpractice,accesspermissionsgroupsshouldbeplacedinOUsthatdenyread permissionstostandarduserssothatthesegroupsdonotappearinsearchresults whenstandarduserssearchthedirectory.Usingthisapproach,youcanmakethese groupsvisibleonlytoadministratorsandpeoplewhocanmanagetheirgroup membership.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
27/67
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
28/67
07/06/13
4.
5. 6.
7. 8. 9.
Lab Scenario
TheenterprisesecurityteamatContoso,Ltdhasaskedyoutolockdownthe administrativepermissionsdelegatedtosupportpersonnel.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
29/67
07/06/13
Inthisexercise,youwilldelegatepermissiontothehelpdesktounlock useraccounts,resetpasswords,andforceuserstochangepasswordsat thenextlogon.Thispermissionwillscopeonlytostandarduseraccounts andwillnotallowthehelpdesktochangepasswordsofadministrative accounts.YouwillalsodelegatepermissiontotheUserAccountAdmins grouptocreateanddeleteuseraccounts,aswellasfullcontroloveruser accounts. Themaintasksforthisexerciseareasfollows: 1. 2. 3. Createsecuritygroupsforrolebasedmanagement. DelegatecontrolofusersupportwiththeDelegationofControlWizard. DelegatepermissiontocreateanddeleteuserswiththeAccessControlList Editorinterface. 4. Validatetheimplementationofdelegation.
1.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
30/67
07/06/13
2.
3.
4.
Task 2: Delegate control of user support with the Delegation Of Control Wizard.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
31/67
07/06/13
Task 3: Delegate permission to create and delete users with the Access Control List Editor interface. 1. TurnontheAdvancedFeaturesviewoftheActiveDirectoryUsersand Computerssnapin. 2. RightclicktheUserAccountsOU,andthenclickProperties.Clickthe Securitytab,andthenclickAdvanced. 3. AddpermissionsthatgiveUserAccountAdminstheabilitytocreateand deleteusersandfullcontroloveruserobjects.BecarefultolimittheFull Controlpermissiontodescendantuserobjectsonly.
1. 2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
32/67
07/06/13
3.
ConfirmthatyoucanresetthepasswordforJeffFord,intheEmployeesOU, andthatyoucanforcehimtochangehispasswordatthenextlogon.
4. 5.
6. 7.
8.
9.
CloseActiveDirectoryUsersandComputers.
07/06/13
1.
2.
RightclicktheUserAccountsOU,andthenclickProperties.Clickthe Securitytab,andthenclickAdvanced.
3.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
34/67
07/06/13
permissionswereassignedinthePermissionEntrieslist?Listthe permissionsassignedtoHelpDesk.
Fromthecommandprompt,useDSACLstoreportthepermissionsassignedtothe UserAccountsOU.Typethefollowingcommand,andthenpressEnter.
d s a c l s" o u = U s e rA c c o u n t s , d c = c o n t o s o , d c = c o m "
1.
RightclicktheUserAccountsOU,andthenclickProperties.Clickthe Securitytab,andthenclickAdvanced.
2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
35/67
07/06/13
Question:DoyouseetheResetPasswordinthislist?
3.
IntheEmployeesOU,rightclicktheuseraccountforAaronLee,andthen clickProperties.ClicktheSecuritytab,andthenclickAdvanced.
4.
Results:Inthisexercise,youconfirmedthatthepermissionsyouassignedinthe previousexercisewereappliedsuccessfully.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
07/06/13
1.
RightclicktheUserAccountsOU,andthenclickProperties.Clickthe Securitytab,andthenclickAdvanced.
2.
Sortsothatpermissionsaredisplayedaccordingtothegrouptowhichtheyare assigned.
3.
RemovethepermissionsassignedtoHelpDesk.
1.
RightclicktheUserAccountsOU,andthenclickProperties.Clickthe Securitytab,andthenclickAdvanced.
2.
Results:Inthisexercise,youhaveresetthepermissionsontheUserAccountsOU toitsschemadefineddefaults.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
37/67
07/06/13
NoteDonotshutdownthevirtualmachineafteryoufinishthislab,because thesettingsyouhaveconfiguredherewillbeusedinthesubsequentlab.
Whocanresetuserpasswords? WhatcanXXXdoasanadministrator?
Question:WhatistheimpactofresettingtheACLofanOUbacktoits schemadefineddefault?
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
38/67
07/06/13
Objectives
Aftercompletingthislesson,youwillbeableto:
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
39/67
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
40/67
07/06/13
JustastheAuditObjectAccesspolicyallowsyoutologattemptstoaccessobjects, suchasfilesandfolders,theAuditDirectoryServiceAccesspolicyallowsyoutolog attemptstoaccessobjectsinActiveDirectory.Thesamebasicprinciplesapply.You configurethepolicytoauditSuccessorFailurefollowedbyconfiguringtheSACLof theActiveDirectoryobjecttospecifythetypesofaccessyouwanttoaudit. Asanexample,ifyouwanttomonitorchangestothemembershipofasecurity sensitivegroup,suchasDomainAdmins,youcanenabletheAuditDirectoryService AccesspolicytoauditSuccessevents.Then,youcanopentheSACLoftheDomain Adminsgroupandconfigureanauditingentryforsuccessfulmodificationsofthe groupsMembersattribute.Infact,inWindowsServer2008,thedefaultconfiguration istoauditSuccesseventsforDirectoryServiceAccessandauditallchangestothe
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 41/67
07/06/13
DomainAdminsgroup! InWindowsServer2003andWindows2000Server,youcouldauditdirectoryservice access,andyouwouldbenotifiedthatanobject,orthepropertyofanobject,had beenchanged,butyoucouldnotidentifythepreviousandnewvaluesofthe attributethathadchanged.Forexample,aneventcouldbeloggedindicatingthata particularuserchangedanattributeofDomainAdmins,butyoucouldnoteasily identifywhichattributewaschanged,andtherewasnowaytodeterminefromthe auditlogexactlywhatchangewasmadetothatattribute. WindowsServer2008addsanauditingcategorycalledDirectoryServiceChanges. TheimportantdistinctionbetweenDirectoryServiceChangesandDirectoryService AccessisthatwithDirectoryServiceChangesauditing,youcanidentifytheprevious andcurrentvaluesofachangedattribute. DirectoryServiceChangesisnotenabledinWindowsServer2008bydefault.Instead, DirectoryServiceAccessisenabledtomimictheauditingfunctionalityofprevious versionsofWindows.ToenableauditingofsuccessfulDirectoryServiceChanges, openacommandpromptonadomaincontrollerandenterthiscommand.
a u d i t p o l/ s e t/ s u b c a t e g o r y : " d i r e c t o r ys e r v i c ec h a n g e s " / s u c c e s s : e n a b l e
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
42/67
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
07/06/13
2. 3. 4.
07/06/13
Toidentifyaccessthatisoutofcharacterforaparticularaccount,whichmightbea signthatauseraccounthasbeenbreachedbyahacker
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
45/67
07/06/13
Afteryouenablethedesiredauditpolicysettingandspecifytheaccessyouwantto auditbyusingobjectSACLs,thesystembeginstologaccessaccordingtoaudit entries.YoucanviewtheresultingeventsintheSecurityLogoftheserver.Openthe EventViewerconsolefromAdministrativeTools.ExpandWindowsLogs,andselect SecurityLog. WhenDirectoryServiceChangesauditingisenabledandauditingentriesare configuredintheSACLofdirectoryserviceobjects,eventsareloggedtotheSecurity Logthatclearlyindicatetheattributethatwaschangedandthechangemade.In mostcases,eventlogentrieswillshowthepreviousandcurrentvalueofthechanged attribute.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 46/67
07/06/13
NoteThecontentinthistopicisspecifictoWindowsServer2008R2.
07/06/13
InWindowsVistaandWindowsServer2008,thenumberofauditableeventsis expandedfromnineto53,whichenablesanadministratortobemoreselectiveinthe numberandtypesofeventstoaudit.However,unliketheninebasicWindowsXP events,thesenewauditeventsarenotintegratedwithGroupPolicyandcanonlybe deployedbyusinglogonscriptsgeneratedwiththeAuditpol.execommandlinetool. Thiswassomewhatinconvenientbecauseseveraltoolswereusedtomanage auditing. InWindowsServer2008R2andWindows7,allauditingcapabilitieshavebeen integratedwithGroupPolicy.Thisallowsadministratorstoconfigure,deploy,and managethesesettingsintheGroupPolicyManagementConsole(GPMC)orLocal SecurityPolicysnapinforalocalcomputer,domain,site,orOU.WindowsServer 2008R2andWindows7makeiteasierforITprofessionalstotrackwhenprecisely defined,significantactivitiestakeplaceonthenetwork. AuditpolicyenhancementsinWindowsServer2008R2andWindows7allow administratorstoconnectbusinessrulesandauditpolicies.Usingthesenewpolicies, youcaneasilyconfigureauditingthatwillcomplywithcompanypolicy.Thesenew policiesforauditingnowhaveaspecificnodeintheSecuritysettingspartofGroup PolicyobjecttheyarelocatedinSecuritySettings\AdvancedAuditPolicy Configuration\AuditPolicies.Withinthisnode,thereare10categoriesforauditing withseveraloptionswithineachcategory.Atthesametime,thelegacyauditpolicy nodestillexists.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
48/67
07/06/13
07/06/13
NoteThecontentinthistopicisspecifictoWindowsServer2008R2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 50/67
07/06/13
Toenableobjectaccessauditing,inpreviousWindowsversions,youhadtoconfigure thisoptioninbasicauditpolicies(inGPOs),andalsoturnonauditingforaspecific securityprincipalonSACLofobjectwhichyouwanttoaudit.Thisapproachsometime wasnotsoeasytoadjustwithcompanypoliciessuchasLogalladministrativewrite activityonserverscontainingFinanceinformation,becauseyoucannotturnon objectaccessauditloggingonserverlevelbutonlyonobjectlevel. ThenewauditcategoryinWindowsServer2008R2allowsadministratorstomanage objectaccessauditinginamuchwiderscope. WithGlobalObjectAccessAuditing,administratorscandefinecomputerSACLsper objecttypeforeitherthefilesystemorregistry.ThespecifiedSACListhen automaticallyappliedtoeveryobjectofthattype. Aglobalobjectaccessauditpolicycanbeusedtoenforcetheobjectaccessaudit policyforacomputer,fileshare,orregistrywithoutconfiguringandpropagating conventionalSACLs.ConfiguringandpropagatingSACLsisamorecomplex administrativetask,anditisdifficulttoverify,particularlyifyouneedtoverifytoan auditorthatsecuritypolicyisbeingenforced. Auditorswillbeabletoprovethateveryresourceinthesystemisprotectedbyan auditpolicybyjustviewingthecontentsoftheGlobalObjectAccessAuditingpolicy
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 51/67
07/06/13
File System
ThissecuritypolicysettingallowsyoutoconfigureaglobalSACLonthefilesystem foranentirecomputer. IfyouselecttheConfiguresecuritycheckbox,youcanaddauserorgrouptothe globalSACL.
Registry
ThissecuritypolicysettingallowsyoutoconfigureanSACLontheregistryfora computer.IfyouselecttheConfiguresecuritycheckbox,youcanaddauseror grouptotheglobalSACL.Thispolicysettingmustbeusedincombinationwiththe RegistrysecuritypolicysettingunderObjectAccess.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
52/67
07/06/13
NoteThecontentinthistopicisspecifictoWindowsServer2008R2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
53/67
07/06/13
Oneofthemostcommonauditingneedsistotrackaccesstoaparticularfileor folder.ThereareseveraleventsinWindowstoauditwheneveranobjectaccess operationwassuccessfulorunsuccessful.Theeventsusuallyincludetheuser,the object,andtheoperation,buttheylackthereasonwhytheoperationwasallowedor denied. However,itisoftennotenoughtoknowsimplythatanobjectsuchasafileora folderwasaccessedbyauser.Forexample,youmightneedtoidentifyanactivity suchasauserwritingtoafilethatheorsheshouldnothavehadaccessto.Youmay alsowanttoknowwhytheuserwasabletoaccessthisresource.WindowsServer 2008R2andWindows7improvethisforensicsanalysisbyprovidingadditional informationaboutwhysomeonehadaccesstoaspecificresource.Thisfeatureis calledReasonforAccessauditing(orreporting). ByenablingReasonforAccessauditing,inadditiontotrackingthistypeofactivity, youwillalsobeabletoidentifytheexactACEthatallowedtheundesiredaccess.This cansignificantlysimplifythetaskofmodifyingaccesscontrolsettingstoprevent similarundesiredobjectaccessinthefuture. InWindowsServer2008R2andWindows7,youcanobtainthisforensicdataby configuringtheAuditHandleManipulationsettingalongwitheithertheAuditFile SystemorAuditRegistryauditsettingsinAdvancedAuditPolicyConfiguration. InWindows7andWindowsServer2008R2,thereasonwhysomeonehasbeen
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 54/67
07/06/13
Inthisdemonstration,youwillseehowtolocateandconfigureAdvancedAudit policies
Demonstration Steps
StartGroupPolicyManagementConsole.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 55/67
07/06/13
Lab Setup
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 56/67
07/06/13
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso 5. Repeatsteps24for6425CNYCDC2.
Lab Scenario
TheadministratorsatContoso,Ltdhavereportedafewtimesthatthemembership listsofcertainhighlyprivilegedgroupsareinconsistent.Thelistsincludedpeoplewho shouldnotbemembersofthesegroups.Onepossiblereasonfortheinconsistency couldbethatthemembershiplistofthesegroupsischangedbyfollowingincorrect
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 57/67
07/06/13
Task 1: Confirm that the Domain Admins group is configured to audit changes to its membership. 1. OnNYCDC2,runActiveDirectoryUsersandComputersasan
58/67
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
07/06/13
1.
AddStuartMunson(userlogonnameStuart.Munson)totheDomain Adminsgroup.Besuretoapplyyourchange.
2. 3.
1.
RunEventViewerasanadministrator,withtheusername
59/67
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
07/06/13
Pat.Coleman_AdminandthepasswordPa$$w0rd. 2. ClickSecurityLogandlocatetheeventsthatweregeneratedwhenyouadded andremovedStuartMunson. Question:WhatistheEventIDoftheeventloggedwhenyoumadeyour changes?WhatistheTaskCategory? Question:ExaminetheinformationprovidedontheGeneraltab.Canyou identifythefollowingintheeventlogentry? Whomadethechange? Whenthechangewasmade? Whichobjectwaschanged? Whattypeofaccesswasperformed? Whichattributewaschanged?Howisthechangedattributeidentified? Whatchangewasmadetothatattribute?
Results:Inthisexercise,yougeneratedandexaminedDirectoryServiceAccess auditentries.
07/06/13
1.
OnNYCDC2,runthecommandpromptasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
Typethefollowingcommand,andthenpressEnter.
a u d i t p o l/ s e t/ s u b c a t e g o r y : " d i r e c t o r ys e r v i c ec h a n g e s " / s u c c e s s : e n a b l e
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 61/67
07/06/13
1.
AddStuartMunson(userlogonnameStuart.Munson)totheDomain Adminsgroup.Besuretoapplyyourchange.
2. 3.
1.
RunEventViewerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
62/67
07/06/13
Results:Inthisexercise,yougeneratedDirectoryServicesChangesauditing entries.
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
3.
IntheRevertVirtualMachinedialogbox,clickRevert.
63/67
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
07/06/13
4.
Repeatthesestepsfor6425CNYCDC2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
64/67
07/06/13
Review Questions
Question:HowdoestheActiveDirectoryUsersandComputersconsoleindicate thatyoudonothavepermissionstoperformaparticularadministrativetask? Question:Whatisthebenefitofatwotiered,rolebasedmanagementgroup structurewhenassigningpermissionsinActiveDirectory?
07/06/13
membersofthisgrouphavenootherpermissions,andthatnootherusersor groupshavebeendelegatedthesamepermissions.
Question:WhatisthemainbenefitofusingnewAdvancedAuditPolicies?
Troubleshootingtip
Tools
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 66/67
07/06/13
Tool
GroupPolicy ManagementConsole DelegationofControl Wizard Auditpol
Usedfor
Editingsecuritypolicy
Wheretofindit
AdministrativeTools
ActiveDirectoryUsersandComputers
Commandlineutility
Description
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
67/67