Module 9 - Securing Administration

07/06/13
Module 9: Securing Administration
Module9:SecuringAdministration
Contents: Lesson1: LabA: Lesson2: LabB: DelegateAdministrativePermissions DelegateAdministration AuditActiveDirectoryAdministration AuditActiveDirectoryChanges
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe
1/67
07/06/13
Today,securityisofhighestpriorityinmostorganizations.Organizationsarenotonly removingtheunnecessaryadministrativeprivilegesthatwereassignedtouserson theirworkstations,butarealsostrivingtolockdownandmanagetheprivilegesgiven toadministratorsthemselves.TomanagethesecurityofActiveDirectory administration,youneedtounderstandhowtodelegatespecificadministrativetasks andauditchangesthataremadetothedirectory.
Objectives
Aftercompletingthismodule,youwillbeableto: Delegateadministrativepermissions.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=11&FontSize=3&FontType=segoe 2/67
07/06/13
AuditActiveDirectoryadministration.
Lesson 1: Delegate Administrative Permissions
Inpreviousmodules,youlearnedhowtocreateusers,groups,computers,and organizationalunits(OUs).Youalsolearnedtoaccessthepropertiesofthoseobjects. Yourabilitytoperformthoseactionswasdependentonyourmembershipinthe groupswithadministrativeprivilegesinthedomain.Everyuseronthehelpdeskteam neednotbeamemberofthedomainsAdministratorsgrouporotherbuiltingroups justtoresetuserpasswordsandunlockuseraccounts.Instead,youcanenablethe

07/06/13
helpdeskandeachroleinyourorganizationtoonlyperformthetasksrequiredofthe role.Inthislesson,youwilllearntodelegatespecificadministrativetaskswithin ActiveDirectorybychangingtheaccesscontrollists(ACLs)onActiveDirectory objects.
Objectives
Aftercompletingthislesson,youwillbeableto: Describethebusinesspurposeofdelegation. AssignpermissionstoActiveDirectoryobjectsusingthesecurityeditoruser interfacesandtheDelegationofControlWizard. ViewandreportpermissionsonActiveDirectoryobjectsbyusinguserinterfaceand commandlinetools. Resetthepermissionsonanobjecttoitsdefault. DescribetherelationshipbetweendelegationandOUdesign.
Understand Delegation
4/67
07/06/13
Inmostorganizations,thereismorethanoneadministrator,andasorganizations grow,administrativetasksareoftendistributedamongtheadministratorsorsupport organizations.Forexample,inmanyorganizations,thehelpdeskcanresetuser passwordsandunlocktheuseraccountsthatarelockedout.Thiscapabilityofthe helpdeskisadelegatedadministrativetask. Thehelpdeskcannotusuallycreatenewuseraccounts,butcanmakespecific changestoexistinguseraccounts.Thecapabilitythatisdelegatedisspecificor granular. Inmostorganizations,thehelpdesk'sabilitytoresetpasswordsappliestonormal

07/06/13
useraccounts,butnottoaccountsusedforadministrationorserviceaccounts. Therefore,thedelegationissaidtobescopedtostandarduseraccounts. AllActiveDirectoryobjects,suchastheusers,computers,andgroupsyoucreatedin thepreviousmodule,canbesecuredbyusingalistofpermissions.Therefore,you cangiveyourhelpdeskpermissiontoresetpasswordsonuserobjects.The permissionsonanobjectarecalledaccesscontrolentries(ACEs),andtheyare assignedtousers,groups,orcomputers,whicharealsoknownassecurityprincipals. ACEsaresavedintheobjectsdiscretionaryaccesscontrollist(DACL).TheDACLisa partoftheobjectsACL,whichalsocontainsthesystemaccesscontrollist(SACL) thatincludesauditingsettings. Thedelegationofadministrativecontrolinvolvesassigningpermissionsthatmanage accesstoobjectsandpropertiesinActiveDirectory.Justasyoucangiveagroupthe abilitytochangefilesinafolder,youcangivethegrouptheabilitytoreset passwordsonuserobjects.
View the ACL of an Active Directory Object
6/67
07/06/13
EachobjectinActiveDirectoryhasitsownACL.Ifyouhavesufficientpermissions, youcanmodifythepermissionstocontrolthelevelofaccessonaspecificActive Directoryobject.ToviewtheACLonanobject,performthefollowingsteps: 1. 2. 3. 4. OpentheActiveDirectoryUsersandComputerssnapin. ClicktheViewmenuandclickAdvancedFeatures. RightclickanobjectandclickProperties. ClicktheSecuritytab.
7/67
07/06/13
NoteIfAdvancedFeaturesisdisabled,youwillnotseetheSecuritytab inanobjectsPropertiesdialogbox.
5.
ClickAdvanced.
TheSecuritytabshowsaveryhighleveloverviewofthesecurityprincipalsthathave beengivenpermissionstotheobject.However,inthecaseofActiveDirectoryACLs, theSecuritytabisrarelydetailedenoughtoprovidetheinformationyouneedto interpretormanagetheACL.Toseeamoredetailedpermissionlist,clickAdvanced toopentheAdvancedSecuritySettingsdialogbox. TheAdvancedSecuritySettingsdialogboxappears,asshowninthefollowing image.
8/67
07/06/13
ThePermissionspageoftheAdvancedSecuritySettingsdialogboxshowsthe DACLoftheobject.ThescreenshotshowsACEssummarizedonalineofthe Permissionentrieslist.Inthisdialogbox,youdonotseethegranularACEsofthe DACL.Forexample,thepermissionentrythatishighlightedactuallyconsistsoftwo ACEs. ToseethegranularACEsofapermissionentry,selecttheentryandclickEdit. ThePermissionEntrydialogboxappears,detailingthespecificACEsthatmakeup theentry.
9/67
07/06/13
Property Permissions, Property Sets, Control Access Rights, and Object Permissions
10/67
07/06/13
TheDACLofanobjectallowsyoutoassignpermissionstospecificpropertiesofan object.Forexample,youcanallow(ordeny)permissiontochangephoneandemail options.Thisis,infact,notjustonepropertyitisapropertysetthatincludes multiplespecificproperties.Usingpropertysets,youcaneasilymanagepermissions tocommonlyusedcollectionsofproperties.But,youcouldassignmoregranular permissionsandallowordenypermissiontochangejustthemobiletelephone numberorthestreetaddress. Permissionscanalsobeassignedtocontrolaccessrights,suchaschangingor resettingapassword.Thedifferencebetweenthosetwocontrolaccessrightsis important.Ifyouhavetherighttochangeapassword,youmustknowandenterthe currentpasswordbeforemakingthechange.Ifyouhavetherighttoreseta
07/06/13
password,youneednotknowthepreviouspassword. Finally,permissionscanbeassignedtoobjects.Forexample,theabilitytochange permissionsonanobjectiscontrolledbytheAllowModifyPermissionsaccesscontrol entry(ACE).Objectpermissionsalsocontrolwhetheryouareabletocreatechild objects.Forexample,youmightgiveyourdesktopsupportteampermissionsto createcomputerobjectsintheClientComputersOU.TheAllowCreateComputer ObjectsACEwouldbeassignedtothedesktopsupportteamattheOU. YoucanmanagethetypeandscopeofpermissionsbyusingtheObjecttabandthe Propertiestab,andtheApplyTodropdownlistsoneachtab.
Demonstration: Assign a Permission by Using the Advanced Security Settings Dialog Box
12/67
07/06/13
ConsiderthatyouwanttoallowthehelpdesktochangethepasswordonlyonJeff Ford'suseraccount.Inthissection,youwilllearntodoitinthemostcomplicated wayfirst.YouwillassigntheACEontheDACLoftheuserobject.Then,youwilllearn todelegatebyusingtheDelegationofControlWizardfortheentireOUofusers. Finally,youwillseewhythislatterpracticeisrecommended.
Demonstration Steps
EnableAdvancedViewintheActiveDirectoryUsersandComputersconsole. OpenAdvancedSecurityPropertiesoftheuseraccountobject.
13/67
07/06/13
Delegatepermissiontoresetthepassword.
Understand and Manage Permissions with Inheritance
Assigningthehelpdeskpermissiontoresetpasswordsforeachindividualuserobject istedious.But,inActiveDirectory,itisnotagoodpracticetoassignpermissionsto individualobjects.Instead,youshouldassignpermissionsatthelevelof organizationalunits.ThepermissionsyouassigntoanOUwillbeinheritedbyall objectsintheOU.Therefore,ifyougivethehelpdeskpermissiontoresetpasswords foruserobjectsandattachthatpermissiontotheOUthatcontainstheusers,alluser objectswithinthatOUwillinheritthatpermission.Injustonestep,youcandelegate

07/06/13
thatadministrativetask. ChildobjectsinheritthepermissionsoftheparentcontainerorOU.Thatcontaineror OUinturninheritsitspermissionsfromitsparentcontainerOU.Ifitisafirstlevel containerorOU,itinheritsthepermissionsfromthedomainitself.Thereasonchild objectsinheritpermissionsfromtheirparentsisthat,bydefault,eachnewobjectis createdwiththeIncludeinheritablepermissionsfromthisobjectsparentoption enabled. However,notethatastheoptionindicates,onlyinheritablepermissionswillbe inheritedbythechildobject.Notallpermissionsareinheritable.Forexample,the permissiontoresetpasswords,whenassignedtoanOU,wouldnotbeinheritedby groupobjectsbecausegroupobjectsdonothaveapasswordattribute.So, inheritancecanbescopedtospecificobjectclasses:passwordsareapplicabletouser objects,notgroups.Additionally,youcanusetheApplyToboxofthePermission Entrydialogboxtoscopetheinheritanceofapermission.Theconversationcanstart togetverycomplicated.Whatyoushouldknowisthat,bydefault,newobjects inheritinheritablepermissionsfromtheirparentobjectusually,anOUoracontainer. Whatifthepermissionthatisbeinginheritedisnotappropriate?Youcandothe followingthreethingstomodifythepermissionsthatachildobjectisinheriting: First,youcandisableinheritancebydeselectingtheIncludeInheritablePermissions FromThisObjectsParentoptionintheAdvancedSecuritySettingsdialogbox.
07/06/13
Whenyoudo,theobjectwillnolongerinheritanypermissionsfromitsparentall permissionswillbeexplicitlydefinedforthechildobject.Thisisgenerallynota goodpractice,becauseitcreatesanexceptiontotherulethatiscreatedby permissionsofparentcontainers. Thesecondoptionistoallowinheritance,buttooverridetheinheritedpermission withapermissionassignedspecificallytothechildobjectanexplicitpermission. Explicitpermissionsalwaysoverridepermissionsthatareinheritedfromparent objects.Thishasanimportantimplication:anexplicitpermissionthatallowsaccess willactuallyoverrideaninheritedpermissionthatdeniesthesameaccess.Therule (Deny)isbeingdefinedbyaparent,butthechildobjecthasbeenconfiguredtobe anexception(Allow). Finally,youcanchangethescopeofinheritanceontheparentpermissionitselfby changingtheoptionintheApplyTodropdownlistinthePermissionEntry dialogbox.Inmostcases,thisisthebestpractice.Whatyouaredoing,ineffect,is definingthesecuritypolicyintheformoftheACLmoreaccuratelyatitssource, ratherthantryingtooverrideitfurtherdownthetree.
Demonstration: Delegate Administrative Tasks with the Delegation of Control Wizard
16/67
07/06/13
YouhaveseenthecomplexityoftheDACLandunderstoodthatmanaging permissionsbyusingthePermissionEntrydialogboxisnotasimpletask.Luckily, thebestpracticeisnottomanagepermissionsbyusingsecurityinterfaces,butusing theDelegationOfControlWizard.Thiswizardallowsyoutodelegateseveral permissionsontheOUlevel,withouteditingtheDACLdirectly,butbyanswering questionsinawizard.However,theresultisthesame.Afterthewizardcompletes,it initiatesascriptthateditstheDACLoftheOU.Thefollowingproceduredetailsthe useofthewizard.
Demonstration Steps
RunDelegationofControlWizardonanOU.
07/06/13
Delegatepermissionstoresetthepasswordandforceapasswordchangeonthe OUlevel.
Report and View Permissions
Thereareseveralotherwaystoviewandreportpermissionswhenyouneedtoknow whocandowhat.YouhavealreadyseenthatyoucanviewpermissionsontheDACL byusingtheAdvancedSecuritySettingsandPermissionEntrydialogboxes. DSACLs(dsacls.exe)isalsoavailableasacommandlinetoolthatreportsondirectory

07/06/13
serviceobjects.Ifyoutypethecommandfollowedbythedistinguishednameofan objectyouwillseeareportoftheobjectspermissions.Forexample,thefollowing commandproducesareportofthepermissionsassociatedwiththeUserAccounts OU:
d s a c l s . e x e" o u = U s e rA c c o u n t s , d c = c o n t o s o , d c = c o m "
DSACLscanalsobeusedtosetpermissionstodelegate.Typedsacls.exe/?forhelp regardingthesyntaxandutilizationofDSACLs.
Remove or Reset Permissions on an Object
19/67
07/06/13
Howdoyouremoveorresetpermissionsthathavebeendelegated?Unfortunately, thereisnoundelegatecommand.Youmustdooneofthefollowing: OpentheAdvancedSecuritySettingsandPermissionEntrydialogboxestoremove permissions. Ifyouwanttoresetthepermissionsontheobjectbacktothedefaults,openthe AdvancedSecuritySettingsdialogboxandclickRestoreDefaults.Thedefault permissionsaredefinedbytheActiveDirectoryschemafortheclassofobject. Afterrestoringthedefaults,youcanreconfiguretheexplicitpermissionsyouwant toaddtotheDACL.
20/67
07/06/13
DSACLsalsoprovidesthe/sswitchtoresetpermissionstotheschemadefined defaults,andthe/tswitchtomakethechangefortheentiretreetheobjectand allofitschildobjects.Forexample,toresetpermissionsonthePeopleOUandall ofitschildOUsandobjects,youwouldenter:
d s a c l s" o u = U s e rA c c o u n t s , d c = c o n t o s o , d c = c o m "/ s/ t
Understand Effective Permissions
Effectivepermissionsaretheresultingpermissionsforasecurityprincipal,suchasa
07/06/13
userorgroup,basedonthecumulativeeffectofeachinheritedandexplicitACE.Your abilitytoresetauserspassword,forexample,maybeduetoyourmembershipina groupthatisallowedtheResetPasswordpermissiononanOUseverallevelsabove theuserobject.Theinheritedpermissionassignedtoagrouptowhichyoubelong resultsinaneffectivepermissionofAllow:ResetPassword.Youreffectivepermissions canbecomplicatedwhenyouconsiderAllowandDenypermissions,explicitand inheritedACEs,andthefactthatyoumaybelongtomultiplegroups,eachofwhich maybeassigneddifferentpermissions. Tocalculateeffectivepermissionsforaspecificuseroragroup,anActiveDirectory object,orforafileorfolder,youcanfollowthefollowingsimpleprocedure: 9. Rightclicktheobject,fileorfolder,clickProperties,andthenclickthe Securitytab. 10. ClickAdvanced,clicktheEffectivePermissionstab,andthenclickSelect. 11. InEntertheobjectnametoselect,enterthenameofauserorgroup,and thenclickOK.Theselectedcheckboxesindicatetheeffectivepermissionsofthe userorgroupforthatfileorfolder.
Permissions,whetherassignedtoyouruseraccountoragrouptowhichyoubelong, areequivalent.Intheend,anACEappliestoyou,theuser.Thebestpracticeisto managepermissionsbyassigningthemtogroups,butitisalsopossibletoassign

07/06/13
ACEstoindividualusersorcomputers.Apermissionthathasbeenassigneddirectly toyou,theuser,isneithermoreimportantnorlessimportantthanapermission assignedtoagrouptowhichyoubelong. Allowpermissions,whichallowaccess,arecumulative.Whenyoubelongtoseveral groups,andthosegroupshavebeengrantedpermissionsthatallowavarietyof tasks,youwillbeabletoperformallofthetasksassignedtoallofthosegroups,as wellastasksassigneddirectlytoyouruseraccount. Denypermissions,whichdenyaccess(),overrideequivalentAllowpermissions.Ifyou areinonegroupthathasbeenallowedthepermissiontoresetpasswords,and anothergroupthathasbeendeniedpermissiontoresetpasswords,theDeny permissionpreventsyoufromresettingpasswords. NoteItisunnecessarytoassignDenypermissions.Ifyoudonotassignan Allowpermission,userscannotperformthetask.BeforeassigningaDeny permission,checktoseeifyoucouldachieveyourgoalbyremovinganAllow permissioninstead.UseDenypermissionsrarely.Forexample,ifyouwantto delegateanAllowpermissiontoagroup,butexemptonlyonememberfrom thatgroup,youcanuseaDenypermissiononthatspecificuseraccountwhile thegroupwillstillhaveAllowpermission.
Eachpermissionisgranular.Evenifyouhavebeendeniedtheabilitytoreset passwords,youmaystillhavetheability,throughotherAllowpermissions,tochange
07/06/13
theuserslogonnameoremailaddress. Inthislesson,youlearnedthatchildobjectsinherittheinheritablepermissionsof parentobjectsbydefault,andthatexplicitpermissionscanoverrideinheritable permissions.ThismeansthatanexplicitAllowpermissionwillactuallyoverridean inheritedDenypermission. Unfortunately,thecomplexinteractionofuser,group,explicit,inherited,Allow,and Denypermissionscanmakeevaluatingeffectivepermissionstedious.Youcanusethe permissionsreportedbytheDSACLscommandoronthePermissionstabofthe AdvancedSecuritySettingsdialogboxtobeginevaluatingeffectivepermissions, butitwillbeamanualtask.
Design an OU Structure to Support Delegation
24/67
07/06/13
OUsare,asyounowknow,administrativecontainers.Theycontainobjectsthatshare similarrequirementsforadministration,configuration,andvisibility.Younow understandthefirstofthoserequirements:administration.Objectsthatadministrators administershouldbecontainedwithinasingleOU.Byplacingyourusersinasingle OUperhapscalledUserAccounts,youcoulddelegatethehelpdeskpermissionto changealluserspasswordsbyassigningonepermissiontooneOU.Anyother permissionsthataffectwhatanadministratorcandotoauserobjectwouldbe assignedintheUserAccountsOU.Forexample,youmightallowyourHuman Resourcesmanagerstodisableuseraccountsintheeventofanemployees termination.Youwoulddelegatethatpermission,again,totheUserAccountsOU. Rememberthatadministratorsshouldbeloggingontotheirsystemswithuser
07/06/13
credentialsandlaunchingadministrativetoolswiththecredentialsofasecondary accountthathasappropriatepermissionstoperformadministrativetasks.Secondary accountsaretheadministrativeaccountsoftheenterprise.Itisnotappropriatefor thefrontlinehelpdesktobeabletoresetpasswordsonsuchprivilegedaccounts, andyouprobablywouldnotwantHumanResourcesmanagerstodisable administrativeaccounts.Therefore,administrativeaccountsshouldbeadministered differentlythannormaluseraccounts.ThatswhyyouwouldhaveaseparateOU, suchasAdmins,foradministrativeuserobjects,whichwouldbedelegatedquite differentlythantheUserAccountsOU. Similarly,youmightdelegatetothedesktopsupportteamtheabilitytoaddcomputer objectstoanOUcalledClientComputers,whichcontainsyourdesktopsandlaptops, butnottotheServersOU,whereonlytheServerAdministrationgrouphas permissionstocreateandmanagecomputerobjects. TheprimaryroleofOUsistoscopedelegationtoapplypermissionstoobjectsand subOUs.WhenyoudesignanActiveDirectoryenvironment,youalwaysbeginby designinganOUstructurethatmakesdelegationefficientastructurethatreflects theadministrativemodelofyourorganization.Rarelydoesobjectadministrationin ActiveDirectorylooklikeyourorganizationalchart.Typically,allnormaluseraccounts aresupportedthesameway,bythesameteamso,userobjectsareoftenfoundina singleOUorasingleOUbranch.Quiteoften,anorganizationthathasacentralized helpdeskfunctiontosupportuserswillalsohaveacentralizeddesktopsupport function.Inthiscase,allclientcomputerobjectswouldbewithinasingleOUora
07/06/13
singleOUbranch.But,ifdesktopsupportisdecentralized,itwouldbelikelytheClient ComputersOUaredividedintosubOUs,representinggeographiclocations.Each locationwouldbedelegatedtoallowthelocalsupportteamtoaddcomputerobjects tothedomaininthatlocation. DesignOUsfirsttoenabletheefficientdelegationofobjectsinthedirectory.After youhaveachievedthatdesign,youcanrefinethedesigntofacilitatethe configurationofcomputersandusersthroughGroupPolicy. Also,youcanconsiderplacingaccesspermissionsgroupswithinseparateOUs.Asa bestpractice,accesspermissionsgroupsshouldbeplacedinOUsthatdenyread permissionstostandarduserssothatthesegroupsdonotappearinsearchresults whenstandarduserssearchthedirectory.Usingthisapproach,youcanmakethese groupsvisibleonlytoadministratorsandpeoplewhocanmanagetheirgroup membership.
Lab A: Delegate Administration
27/67
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
28/67
07/06/13
4.
Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso
5. 6.
OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab09a. RunLab09a_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd.
7. 8. 9.
Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab09a. Repeatsteps24for6425CNYCDC2.
Lab Scenario
TheenterprisesecurityteamatContoso,Ltdhasaskedyoutolockdownthe administrativepermissionsdelegatedtosupportpersonnel.
Exercise 1: Delegate Permission to Create and Support User Accounts
29/67
07/06/13
Inthisexercise,youwilldelegatepermissiontothehelpdesktounlock useraccounts,resetpasswords,andforceuserstochangepasswordsat thenextlogon.Thispermissionwillscopeonlytostandarduseraccounts andwillnotallowthehelpdesktochangepasswordsofadministrative accounts.YouwillalsodelegatepermissiontotheUserAccountAdmins grouptocreateanddeleteuseraccounts,aswellasfullcontroloveruser accounts. Themaintasksforthisexerciseareasfollows: 1. 2. 3. Createsecuritygroupsforrolebasedmanagement. DelegatecontrolofusersupportwiththeDelegationofControlWizard. DelegatepermissiontocreateanddeleteuserswiththeAccessControlList Editorinterface. 4. Validatetheimplementationofdelegation.
Task 1: Create security groups for role-based management.
1.
OnNYCDC2,runActiveDirectoryUsersandComputerswithadministrative credentials.UsetheaccountPat.Coleman_Adminwiththepassword Pa$$w0rd.
30/67
07/06/13
2.
IntheGroups\RoleOU,createthefollowingrolegroups: HelpDesk(globalsecuritygroup) UserAccountAdmins(globalsecuritygroup)
3.
Addthefollowingusers'administrativeaccountstotheHelpDeskgroup.Be carefulnottoaddtheusers'standard,nonprivilegedaccount. AaronM.Painter EllyNkya JulianPrice HollyDickson
4.
Addthefollowingusers'administrativeaccountstotheUserAccountAdmins group.Becarefulnottoaddtheusers'standard,nonprivilegedaccount. PatColeman AprilMeyer MaxStevens
Task 2: Delegate control of user support with the Delegation Of Control Wizard.
31/67
07/06/13
RightclicktheUserAccountsOUandthenclickDelegateControl.Delegateto theHelpDeskgroupthepermissiontoresetuserpasswordsandforceusersto changepasswordsatnextlogon.
Task 3: Delegate permission to create and delete users with the Access Control List Editor interface. 1. TurnontheAdvancedFeaturesviewoftheActiveDirectoryUsersand Computerssnapin. 2. RightclicktheUserAccountsOU,andthenclickProperties.Clickthe Securitytab,andthenclickAdvanced. 3. AddpermissionsthatgiveUserAccountAdminstheabilitytocreateand deleteusersandfullcontroloveruserobjects.BecarefultolimittheFull Controlpermissiontodescendantuserobjectsonly.
Task 4: Validate the implementation of delegation.
1. 2.
CloseActiveDirectoryUsersandComputers. RunActiveDirectoryUsersandComputersasanadministrator,withthe usernameAaron.Painter_AdminandthepasswordPa$$w0rd.
32/67
07/06/13
3.
ConfirmthatyoucanresetthepasswordforJeffFord,intheEmployeesOU, andthatyoucanforcehimtochangehispasswordatthenextlogon.
4. 5.
ConfirmthatyoucannotdisableJeffFord'saccount. ConfirmthatyoucannotresetthepasswordforPatColeman(Admin)inthe AdminIdentitiesOU.
6. 7.
CloseActiveDirectoryUsersandComputers. RunActiveDirectoryUsersandComputersasanadministrator,withthe usernameApril.Meyer_AdminandthepasswordPa$$w0rd.
8.
ConfirmthatyoucancreateauseraccountintheEmployeesOUbycreating anaccountwithyourownfirstandlastname,theusernameFirst.Last,andthe passwordPa$$w0rd.
9.
CloseActiveDirectoryUsersandComputers.
Results:Inthisexercise,youdelegatedtothehelpdeskthepermissiontounlock useraccounts,resetpasswords,andforceuserstochangepasswordsatnext logonthroughthehelpdesk'smembershipintheHelpDeskgroup.Youhavealso delegatedfullcontrolofuserobjectstoUserAccountAdminsgroup.And,you testedbothdelegationstovalidatetheirfunctionality.
Exercise 2: View Delegated Permissions

07/06/13
Inthisexerciseyouwillview,report,andevaluatethepermissionsthat havebeenassignedtoActiveDirectoryobjects. Themaintasksforthisexerciseareasfollows: 1. 2. 3. ViewpermissionsintheAccessControlListEditorinterfaces. ReportpermissionsbyusingDSACLs. Evaluateeffectivepermissions.
Task 1: View permissions in the Access Control List Editor interfaces.
1.
OnNYCDC2,runActiveDirectoryUsersandComputersasan administrator,withtheusernamePat.Coleman_Adminandthepassword Pa$$w0rd.
2.
RightclicktheUserAccountsOU,andthenclickProperties.Clickthe Securitytab,andthenclickAdvanced.
3.
Sortsothatpermissionsaredisplayedaccordingtothegrouptowhichtheyare assigned. Question:HowmanypermissionentrieswerecreatedfortheHelpDesk groupbytheDelegationOfControlWizard?Isiteasytotellwhat
34/67
07/06/13
permissionswereassignedinthePermissionEntrieslist?Listthe permissionsassignedtoHelpDesk.
Task 2: Report permissions by using DSACLs.
Fromthecommandprompt,useDSACLstoreportthepermissionsassignedtothe UserAccountsOU.Typethefollowingcommand,andthenpressEnter.
d s a c l s" o u = U s e rA c c o u n t s , d c = c o n t o s o , d c = c o m "
Question:WhichpermissionsarereportedforHelpDeskbytheDSACLs command? Task 3: Evaluate effective permissions.
1.
2.
UsingtheAdvancedSecuritySettingsdialogbox,evaluatetheEffective PermissionsforApril.Meyer_Admin.Locatethepermissionsthatallowthe usertocreateanddeleteusers.
35/67
07/06/13
Question:DoyouseetheResetPasswordinthislist?
3.
IntheEmployeesOU,rightclicktheuseraccountforAaronLee,andthen clickProperties.ClicktheSecuritytab,andthenclickAdvanced.
4.
UsingtheAdvancedSecuritySettingsdialogbox,evaluatetheEffective PermissionsforAaron.Painter_Admin.Locatethepermissionsthatallowthe usertoresetthepasswordforAaronLee.
Results:Inthisexercise,youconfirmedthatthepermissionsyouassignedinthe previousexercisewereappliedsuccessfully.
Exercise 3: Remove and Reset Permissions

Inthisexercise,youwillremovedelegatedpermissionsandwillresetan OUtoitsschemadefineddefaultACL. Themaintasksforthisexerciseareasfollows: 1. 2. RemovepermissionsassignedtoHelpDesk. ResettheUserAccountsOUtoitsdefaultpermissions.
36/67
07/06/13
Task 1: Remove permissions assigned to Help Desk.
1.
2.
Sortsothatpermissionsaredisplayedaccordingtothegrouptowhichtheyare assigned.
3.
RemovethepermissionsassignedtoHelpDesk.
Task 2: Reset the User Accounts OU to its default permissions.
1.
2.
ClickRestoredefaults,andthenclickApply. Question:WhatdoyouachievebyclickingResetToDefault?What permissionsremain?
Results:Inthisexercise,youhaveresetthepermissionsontheUserAccountsOU toitsschemadefineddefaults.
37/67
07/06/13
NoteDonotshutdownthevirtualmachineafteryoufinishthislab,because thesettingsyouhaveconfiguredherewillbeusedinthesubsequentlab.
Lab Review Questions Question:WhenyouevaluatedtheeffectivepermissionsforAprilMeyeronthe UserAccountsOU,whydidn'tyouseepermissionssuchasResetPasswordin thislist?Whydidthepermissionappearwhenyouevaluatedeffective permissionsforAaronPainteronAaronLee'suseraccount? Question:DoesWindowsmakeiteasytoanswerthefollowingquestions:
Whocanresetuserpasswords? WhatcanXXXdoasanadministrator?
Question:WhatistheimpactofresettingtheACLofanOUbacktoits schemadefineddefault?
Lesson 2: Audit Active Directory Administration
38/67
07/06/13
Justasauditingfileandfolderaccessallowsyoutologattemptstoaccessthose typesofobjects,theAuditDirectoryServiceAccesspolicyallowsyoutologattempts toaccessobjectsinActiveDirectory.WindowsServer2008introducesanotherclass ofauditingforActiveDirectory:DirectoryServiceChanges.Inaddition,thereare severalauditingenhancementsinWindowsServer2008R2andWindows7that increasethelevelofdetailinsecurityauditinglogsandsimplifythedeploymentand managementofauditingpolicies.
Objectives
Aftercompletingthislesson,youwillbeableto:
39/67
07/06/13
ConfigureauditpolicytoenableDirectoryServiceChangesauditing. SpecifyauditingsettingsonActiveDirectoryobjects. IdentifyeventlogentriescreatedbyDirectoryAccessauditingandDirectoryService Changesauditing. DescribeAdvancedAuditPolicies. DescribeGlobalObjectAccessauditing. DescribethereasonforAccessReporting.
Enable Audit Policy
40/67
07/06/13
JustastheAuditObjectAccesspolicyallowsyoutologattemptstoaccessobjects, suchasfilesandfolders,theAuditDirectoryServiceAccesspolicyallowsyoutolog attemptstoaccessobjectsinActiveDirectory.Thesamebasicprinciplesapply.You configurethepolicytoauditSuccessorFailurefollowedbyconfiguringtheSACLof theActiveDirectoryobjecttospecifythetypesofaccessyouwanttoaudit. Asanexample,ifyouwanttomonitorchangestothemembershipofasecurity sensitivegroup,suchasDomainAdmins,youcanenabletheAuditDirectoryService AccesspolicytoauditSuccessevents.Then,youcanopentheSACLoftheDomain Adminsgroupandconfigureanauditingentryforsuccessfulmodificationsofthe groupsMembersattribute.Infact,inWindowsServer2008,thedefaultconfiguration istoauditSuccesseventsforDirectoryServiceAccessandauditallchangestothe
07/06/13
DomainAdminsgroup! InWindowsServer2003andWindows2000Server,youcouldauditdirectoryservice access,andyouwouldbenotifiedthatanobject,orthepropertyofanobject,had beenchanged,butyoucouldnotidentifythepreviousandnewvaluesofthe attributethathadchanged.Forexample,aneventcouldbeloggedindicatingthata particularuserchangedanattributeofDomainAdmins,butyoucouldnoteasily identifywhichattributewaschanged,andtherewasnowaytodeterminefromthe auditlogexactlywhatchangewasmadetothatattribute. WindowsServer2008addsanauditingcategorycalledDirectoryServiceChanges. TheimportantdistinctionbetweenDirectoryServiceChangesandDirectoryService AccessisthatwithDirectoryServiceChangesauditing,youcanidentifytheprevious andcurrentvaluesofachangedattribute. DirectoryServiceChangesisnotenabledinWindowsServer2008bydefault.Instead, DirectoryServiceAccessisenabledtomimictheauditingfunctionalityofprevious versionsofWindows.ToenableauditingofsuccessfulDirectoryServiceChanges, openacommandpromptonadomaincontrollerandenterthiscommand.
a u d i t p o l/ s e t/ s u b c a t e g o r y : " d i r e c t o r ys e r v i c ec h a n g e s " / s u c c e s s : e n a b l e
42/67
07/06/13
AlthoughyoucanusetheprecedingcommandtoenableDirectoryServiceChanges auditinginalabandexploretheeventsthataregenerated,werecommendthatyou dontimplementthisinadomainuntilyouevaluatethisfeatureintestenvironment.
Specify Auditing Settings for Directory Service Changes
YoumuststillmodifytheSACLofobjectstospecifywhichattributesshouldbe audited. ToaccesstheSACLanditsauditentries,performthefollowingsteps: 1. OpenthePropertiesdialogboxoftheobjectyouwishtoaudit.

43/67
07/06/13
2. 3. 4.
ClicktheSecuritytab. ClicktheAdvancedbutton. ClicktheAuditingtab.
Toaddanauditentry,performthefollowingsteps: 1. 2. ClicktheAddbutton. Selecttheuser,group,orcomputertoaudit.Often,thiswillbetheEveryone group. 3. IntheAuditingEntrydialogbox,indicatethetypeofaccesstoaudit. Youcanauditforsuccesses,failures,orbothasthespecifieduser,group,or computerattemptstoaccesstheresourcebyusingoneormoreofthegranular accesslevels.
YoucanauditSuccessestoperformthefollowingtasks: Logresourceaccessforreportingandbilling Monitoraccessthatwouldsuggestusersareperformingactionsgreaterthanwhat youhadplanned,indicatingthatpermissionsaretoogenerous

07/06/13
Toidentifyaccessthatisoutofcharacterforaparticularaccount,whichmightbea signthatauseraccounthasbeenbreachedbyahacker
Auditingfailedeventsallowsyouto: Monitorformaliciousattemptstoaccessresourcestowhichaccesshasbeen denied. Identifyfailedattemptstoaccessafileorafoldertowhichauserdoesrequire access.Thiswouldindicatethatthepermissionsarenotsufficienttoachievea businessrequirement.
NoteAuditlogshavethetendencytogetlargequiterapidly,soagolden ruleforauditingistoconfigurethebareminimumrequiredtoachievethe task.Specifyingtoauditthesuccessesandfailuresonanactivedatafolder fortheEveryonegroupbyusingFullControl(allpermissions)generates enormousauditlogsthatcouldaffecttheperformanceoftheserverand makelocatingaspecificauditedeventimpossible.
View Audited Events in the Security Log
45/67
07/06/13
Afteryouenablethedesiredauditpolicysettingandspecifytheaccessyouwantto auditbyusingobjectSACLs,thesystembeginstologaccessaccordingtoaudit entries.YoucanviewtheresultingeventsintheSecurityLogoftheserver.Openthe EventViewerconsolefromAdministrativeTools.ExpandWindowsLogs,andselect SecurityLog. WhenDirectoryServiceChangesauditingisenabledandauditingentriesare configuredintheSACLofdirectoryserviceobjects,eventsareloggedtotheSecurity Logthatclearlyindicatetheattributethatwaschangedandthechangemade.In mostcases,eventlogentrieswillshowthepreviousandcurrentvalueofthechanged attribute.
07/06/13
Advanced Audit Policies
NoteThecontentinthistopicisspecifictoWindowsServer2008R2.
InthepreviousversionsofWindows,suchasWindowsXPandWindowsServer 2003,ninecategoriesforauditingexisted.Administratorscouldconfigureeach categorytoperformauditingandmonitorsuccessful,failed,orbothsuccessfuland failedattemptsforspecifictasksandevents.Theseeventsarefairlybroadinscope andcanbetriggeredbyavarietyofsimilaractionssomeofwhichcangeneratea largenumberofeventlogentries.Thistypeofauditingwasconfiguredbyusing GroupPolicy.

07/06/13
InWindowsVistaandWindowsServer2008,thenumberofauditableeventsis expandedfromnineto53,whichenablesanadministratortobemoreselectiveinthe numberandtypesofeventstoaudit.However,unliketheninebasicWindowsXP events,thesenewauditeventsarenotintegratedwithGroupPolicyandcanonlybe deployedbyusinglogonscriptsgeneratedwiththeAuditpol.execommandlinetool. Thiswassomewhatinconvenientbecauseseveraltoolswereusedtomanage auditing. InWindowsServer2008R2andWindows7,allauditingcapabilitieshavebeen integratedwithGroupPolicy.Thisallowsadministratorstoconfigure,deploy,and managethesesettingsintheGroupPolicyManagementConsole(GPMC)orLocal SecurityPolicysnapinforalocalcomputer,domain,site,orOU.WindowsServer 2008R2andWindows7makeiteasierforITprofessionalstotrackwhenprecisely defined,significantactivitiestakeplaceonthenetwork. AuditpolicyenhancementsinWindowsServer2008R2andWindows7allow administratorstoconnectbusinessrulesandauditpolicies.Usingthesenewpolicies, youcaneasilyconfigureauditingthatwillcomplywithcompanypolicy.Thesenew policiesforauditingnowhaveaspecificnodeintheSecuritysettingspartofGroup PolicyobjecttheyarelocatedinSecuritySettings\AdvancedAuditPolicy Configuration\AuditPolicies.Withinthisnode,thereare10categoriesforauditing withseveraloptionswithineachcategory.Atthesametime,thelegacyauditpolicy nodestillexists.
48/67
07/06/13
Basic Audit policies vs. Advanced Audit Policies

Thebasicsecurityauditpolicysettings(locatedinSecuritySettings\Local Policies\AuditPolicy)andtheadvancedsecurityauditpolicysettings(locatedin SecuritySettings\AdvancedAuditPolicyConfiguration\AuditPolicies)appearto overlap,buttheyarerecordedandapplieddifferently. WhenyouapplybasicauditpolicysettingstothelocalcomputerbyusingtheLocal SecurityPolicy,youareeditingtheeffectiveauditpolicy,sochangesmadetobasic auditpolicysettingsappearexactlyasconfiguredinAuditpol.exe. Thereareseveraladditionaldifferencesbetweenthesecurityauditpolicysettingsin thesetwolocations. Anewsetofadvancedauditpoliciesallowadministratorstobemoreselectiveinthe numberandtypesofeventstoaudit.Forexample,whereabasicauditpolicy providesasinglesettingforaccountlogon,advancedauditpolicyprovidesfour. Enablingthesinglebasicaccountlogonsettingwouldbetheequivalentofsettingall fouradvancedaccountlogonsettings.Incomparison,settingasingleadvancedaudit policysettingdoesnotgenerateauditeventsforactivitiesyouarenotinterestedin. Additionally,ifyouenablesuccessauditingforthebasicAuditaccountlogonevents setting,onlysuccesseventswillbeloggedforallaccountlogonrelatedbehaviors.In comparison,youcanconfiguresuccessauditingforoneadvancedaccountlogon setting,failureauditingforasecondadvancedaccountlogonsetting,successand failureauditingforathirdadvancedaccountlogonsetting,ornoauditing,depending
07/06/13
ontheneedsofyourorganization. TheninebasicsettingsunderSecuritySettings\LocalPolicies\AuditPolicywere introducedinWindows2000,andthereforeareavailabletoallversionsofWindows releasedsincethen.TheadvancedauditpolicysettingswereintroducedinWindows VistaandWindowsServer2008.Theadvancedsettingscanbeusedonlyon computersrunningWindows7,WindowsVista,WindowsServer2008,orWindows Server2008R2.
Global Object Access Auditing
07/06/13
Toenableobjectaccessauditing,inpreviousWindowsversions,youhadtoconfigure thisoptioninbasicauditpolicies(inGPOs),andalsoturnonauditingforaspecific securityprincipalonSACLofobjectwhichyouwanttoaudit.Thisapproachsometime wasnotsoeasytoadjustwithcompanypoliciessuchasLogalladministrativewrite activityonserverscontainingFinanceinformation,becauseyoucannotturnon objectaccessauditloggingonserverlevelbutonlyonobjectlevel. ThenewauditcategoryinWindowsServer2008R2allowsadministratorstomanage objectaccessauditinginamuchwiderscope. WithGlobalObjectAccessAuditing,administratorscandefinecomputerSACLsper objecttypeforeitherthefilesystemorregistry.ThespecifiedSACListhen automaticallyappliedtoeveryobjectofthattype. Aglobalobjectaccessauditpolicycanbeusedtoenforcetheobjectaccessaudit policyforacomputer,fileshare,orregistrywithoutconfiguringandpropagating conventionalSACLs.ConfiguringandpropagatingSACLsisamorecomplex administrativetask,anditisdifficulttoverify,particularlyifyouneedtoverifytoan auditorthatsecuritypolicyisbeingenforced. Auditorswillbeabletoprovethateveryresourceinthesystemisprotectedbyan auditpolicybyjustviewingthecontentsoftheGlobalObjectAccessAuditingpolicy
07/06/13
setting. ResourceSACLsarealsousefulfordiagnosticscenarios.Forexample,settingaGlobal ObjectAccessAuditingpolicytologallactivityforaspecificuserandenablingthe AccessFailuresauditpoliciesinaresource(filesystem,registry)willhelp administratorsquicklyidentifywhichobjectinasystemisdenyingauseraccess. GlobalObjectAccessAuditingincludesthefollowingsubcategories:Filesystemand registry.
File System
ThissecuritypolicysettingallowsyoutoconfigureaglobalSACLonthefilesystem foranentirecomputer. IfyouselecttheConfiguresecuritycheckbox,youcanaddauserorgrouptothe globalSACL.
Registry
ThissecuritypolicysettingallowsyoutoconfigureanSACLontheregistryfora computer.IfyouselecttheConfiguresecuritycheckbox,youcanaddauseror grouptotheglobalSACL.Thispolicysettingmustbeusedincombinationwiththe RegistrysecuritypolicysettingunderObjectAccess.
52/67
07/06/13
NoteIfbothafileorfolderSACLandaGlobalObjectAccessAuditingpolicy (orasingleregistrysettingSACLandaGlobalObjectAccessAuditingpolicy) areconfiguredonacomputer,theeffectiveSACLisderivedfromcombining thefileorfolderSACLandtheGlobalObjectAccessAuditingpolicy.This meansthatanauditeventisgeneratedifanactivitymatcheseitherthefileor folderSACLortheGlobalObjectAccessAuditingpolicy.
Reason for Access Reporting
53/67
07/06/13
Oneofthemostcommonauditingneedsistotrackaccesstoaparticularfileor folder.ThereareseveraleventsinWindowstoauditwheneveranobjectaccess operationwassuccessfulorunsuccessful.Theeventsusuallyincludetheuser,the object,andtheoperation,buttheylackthereasonwhytheoperationwasallowedor denied. However,itisoftennotenoughtoknowsimplythatanobjectsuchasafileora folderwasaccessedbyauser.Forexample,youmightneedtoidentifyanactivity suchasauserwritingtoafilethatheorsheshouldnothavehadaccessto.Youmay alsowanttoknowwhytheuserwasabletoaccessthisresource.WindowsServer 2008R2andWindows7improvethisforensicsanalysisbyprovidingadditional informationaboutwhysomeonehadaccesstoaspecificresource.Thisfeatureis calledReasonforAccessauditing(orreporting). ByenablingReasonforAccessauditing,inadditiontotrackingthistypeofactivity, youwillalsobeabletoidentifytheexactACEthatallowedtheundesiredaccess.This cansignificantlysimplifythetaskofmodifyingaccesscontrolsettingstoprevent similarundesiredobjectaccessinthefuture. InWindowsServer2008R2andWindows7,youcanobtainthisforensicdataby configuringtheAuditHandleManipulationsettingalongwitheithertheAuditFile SystemorAuditRegistryauditsettingsinAdvancedAuditPolicyConfiguration. InWindows7andWindowsServer2008R2,thereasonwhysomeonehasbeen
07/06/13
grantedordeniedaccessisaddedtotheopenhandleevent.Thismakesitpossible foradministratorstounderstandwhysomeonewasabletoopenafile,folder,orfile shareforaspecificaccess.
Demonstration: Advanced Audit Policies
Inthisdemonstration,youwillseehowtolocateandconfigureAdvancedAudit policies
Demonstration Steps
StartGroupPolicyManagementConsole.
07/06/13
EdittheDefaultDomainPolicyGPO. BrowsetoAdvancedAuditPolicyConfiguration. Browsetosubcategories. ConfigurethatAdvancedAuditPolicyConfigurationsettingsarenotoverwritten.
Lab B: Audit Active Directory Changes
Lab Setup
07/06/13
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1,andintheActionspane,click Start. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso 5. Repeatsteps24for6425CNYCDC2.
Lab Scenario
TheadministratorsatContoso,Ltdhavereportedafewtimesthatthemembership listsofcertainhighlyprivilegedgroupsareinconsistent.Thelistsincludedpeoplewho shouldnotbemembersofthesegroups.Onepossiblereasonfortheinconsistency couldbethatthemembershiplistofthesegroupsischangedbyfollowingincorrect
07/06/13
procedures.TheenterprisesecurityteamatContoso,Ltdhasaskedyoutoprovide detailedreportsregardingchangestothemembershipofsecuritysensitivegroups, includingDomainAdmins.Thereportsmustshowthechangethatwasmade,who madethechange,andwhen.
Exercise 1: Audit Changes to Active Directory by Using Default Audit Policy

Inthisexercise,youwillseetheDirectoryServiceAccessauditingthatis enabledbydefaultinWindowsServer2008andWindowsServer2003. Themaintasksforthisexerciseareasfollows: 1. ConfirmthattheDomainAdminsgroupisconfiguredtoauditchangestoits membership. 2. 3. MakeachangetothemembershipofDomainAdmins. Examinetheeventsthatweregenerated.
Task 1: Confirm that the Domain Admins group is configured to audit changes to its membership. 1. OnNYCDC2,runActiveDirectoryUsersandComputersasan
58/67
07/06/13
administrator,withtheusernamePat.Coleman_Adminandthepassword Pa$$w0rd. 2. 3. OpentheAuditSettingspropertiesoftheDomainAdminsgroup. Locatetheentrythatspecifiestheauditingofsuccessfulattemptstomodify propertiesofthegroupsuchasmembership. Question:WhatistheAuditingEntrythatachievesthisgoal?
Task 2: Make a change to the membership of Domain Admins.
1.
AddStuartMunson(userlogonnameStuart.Munson)totheDomain Adminsgroup.Besuretoapplyyourchange.
2. 3.
RemoveStuartMunsonfromtheDomainAdminsgroup. Makeanoteofthetimewhenyoumadethechanges.Thatwillmakeiteasierto locatetheauditentriesintheeventlogs.
Task 3: Examine the events that were generated.
1.
RunEventViewerasanadministrator,withtheusername
59/67
07/06/13
Pat.Coleman_AdminandthepasswordPa$$w0rd. 2. ClickSecurityLogandlocatetheeventsthatweregeneratedwhenyouadded andremovedStuartMunson. Question:WhatistheEventIDoftheeventloggedwhenyoumadeyour changes?WhatistheTaskCategory? Question:ExaminetheinformationprovidedontheGeneraltab.Canyou identifythefollowingintheeventlogentry? Whomadethechange? Whenthechangewasmade? Whichobjectwaschanged? Whattypeofaccesswasperformed? Whichattributewaschanged?Howisthechangedattributeidentified? Whatchangewasmadetothatattribute?
Results:Inthisexercise,yougeneratedandexaminedDirectoryServiceAccess auditentries.
Exercise 2: Audit Changes to Active Directory by Using Directory

07/06/13
Service Changes Auditing

Inthisexercise,youwillimplementthenewDirectoryServicesChanges auditingofWindowsServer2008torevealdetailsaboutchangestothe DomainAdminsgroup. Themaintasksforthisexerciseareasfollows: 1. 2. 3. EnableDirectoryServicesChangesauditing. MakeachangetothemembershipofDomainAdmins. Examinetheeventsthatweregenerated.
Task 1: Enable Directory Services Changes auditing.
1.
OnNYCDC2,runthecommandpromptasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
Typethefollowingcommand,andthenpressEnter.
a u d i t p o l/ s e t/ s u b c a t e g o r y : " d i r e c t o r ys e r v i c ec h a n g e s " / s u c c e s s : e n a b l e
07/06/13
Task 2: Make a change to the membership of Domain Admins.
1.
AddStuartMunson(userlogonnameStuart.Munson)totheDomain Adminsgroup.Besuretoapplyyourchange.
2. 3.
RemoveStuartMunsonfromtheDomainAdminsgroup. Makenoteofthetimewhenyoumadethechanges.Thatwillmakeiteasierto locatetheauditentriesintheeventlogs.
Task 3: Examine the events that were generated.
1.
RunEventViewerasanadministrator,withtheusername Pat.Coleman_AdminandthepasswordPa$$w0rd.
2.
ClickSecurityLogandlocatethenewtypesofeventsthatweregenerated whenyouaddedandremovedStuartMunson. Question:WhataretheEventIDsoftheeventloggedwhenyoumade yourchanges?WhatistheTaskCategory? Question:ExaminetheinformationprovidedontheGeneraltab.Canyou identifythefollowingintheeventlogentry?
62/67
07/06/13
Whattypeofchangewasmade? Whomadethechange? Whichmemberwasaddedorremoved? Whichgroupwasaffected? Whenthechangewasmade?
Results:Inthisexercise,yougeneratedDirectoryServicesChangesauditing entries.
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick Revert.
3.
IntheRevertVirtualMachinedialogbox,clickRevert.
63/67
07/06/13
4.
Repeatthesestepsfor6425CNYCDC2.
Lab Review Questions Question:WhatdetailsarecapturedbyDirectoryServicesChangesauditing thatarenotcapturedbyDirectoryServiceAccessauditing? Question:Whichtypeofadministrativeactivitieswouldyouwanttoauditby usingDirectoryServicesChangesauditing?
Module Review and Takeaways
64/67
07/06/13
Review Questions
Question:HowdoestheActiveDirectoryUsersandComputersconsoleindicate thatyoudonothavepermissionstoperformaparticularadministrativetask? Question:Whatisthebenefitofatwotiered,rolebasedmanagementgroup structurewhenassigningpermissionsinActiveDirectory?
NoteRolebasedmanagementisadetailedtopic.Thereareotheraspectsof rolebasedmanagementsuchasdisciplineandauditingthatarerequiredto ensurethatthemembersofagroupsuchasAD_UserAccounts_Supporthave thepermissionstheyaresupposedtohave.Youalsoneedtoensurethatthe

07/06/13
membersofthisgrouphavenootherpermissions,andthatnootherusersor groupshavebeendelegatedthesamepermissions.
Question:WhatisthemainbenefitofusingnewAdvancedAuditPolicies?
Common Issues related to Secure Administration

Issue
Thereisnoundelegatecommand orwizardafteryoufinishdelegation ofcontrol ReasonforAccessauditingisnot working
Troubleshootingtip
Best Practices Related to Secure Administration

UseDelegationofControlWizardtodelegateadministrativecontrolinsteadof placingusersinbuiltinadministrativegroups. UseAdvancedAuditPoliciesforbetterandmoregranularauditcontrol. Avoidusingtheblockinheritanceoptionwhenconfiguringpermissions.
Tools
07/06/13
Tool
GroupPolicy ManagementConsole DelegationofControl Wizard Auditpol
Usedfor
Editingsecuritypolicy
Wheretofindit
AdministrativeTools
Delegatingadministrativecontrol overOU Configuringauditing
ActiveDirectoryUsersandComputers
Commandlineutility
Windows Server 2008 R2 Features Introduced in this Module

WindowsServer2008 R2feature
AdvancedAuditPolicies NewsettingsinGroupPolicyobjectformoredetailedauditingof varioussystemevents GlobalObjectAccessAuditing Reasonforaccessreporting Methodtoauditonserverlevelinsteadonobjectlevel Newfeaturethatallowsadministratorstoseewhysomeonewasable toaccessaresourcethatisbeingaudited.
Description
67/67

Module 9 - Securing Administration

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Module 9 - Securing Administration

Încărcat de

Drepturi de autor:

Formate disponibile

07/06/13

Module 9: Securing Administration

Module 9: Securing Administration

Module 9: Securing Administration

Lesson 1: Delegate Administrative Permissions

Module 9: Securing Administration

helpdeskandeachroleinyourorganizationtoonlyperformthetasksrequiredofthe role.Inthislesson,youwilllearntodelegatespecificadministrativetaskswithin ActiveDirectorybychangingtheaccesscontrollists(ACLs)onActiveDirectory objects.

Module 9: Securing Administration

Module 9: Securing Administration

View the ACL of an Active Directory Object

Module 9: Securing Administration

Module 9: Securing Administration

Module 9: Securing Administration

Module 9: Securing Administration

Module 9: Securing Administration

Module 9: Securing Administration

Module 9: Securing Administration

Module 9: Securing Administration

Understand and Manage Permissions with Inheritance

Module 9: Securing Administration

Module 9: Securing Administration

Demonstration: Delegate Administrative Tasks with the Delegation of Control Wizard

Module 9: Securing Administration

Module 9: Securing Administration

Report and View Permissions

Thereareseveralotherwaystoviewandreportpermissionswhenyouneedtoknow whocandowhat.YouhavealreadyseenthatyoucanviewpermissionsontheDACL byusingtheAdvancedSecuritySettingsandPermissionEntrydialogboxes. DSACLs(dsacls.exe)isalsoavailableasacommandlinetoolthatreportsondirectory

Module 9: Securing Administration

serviceobjects.Ifyoutypethecommandfollowedbythedistinguishednameofan objectyouwillseeareportoftheobjectspermissions.Forexample,thefollowing commandproducesareportofthepermissionsassociatedwiththeUserAccounts OU:

Remove or Reset Permissions on an Object

Module 9: Securing Administration

Module 9: Securing Administration

DSACLsalsoprovidesthe/sswitchtoresetpermissionstotheschemadefined defaults,andthe/tswitchtomakethechangefortheentiretreetheobjectand allofitschildobjects.Forexample,toresetpermissionsonthePeopleOUandall ofitschildOUsandobjects,youwouldenter:

Understand Effective Permissions

Module 9: Securing Administration

Permissions,whetherassignedtoyouruseraccountoragrouptowhichyoubelong, areequivalent.Intheend,anACEappliestoyou,theuser.Thebestpracticeisto managepermissionsbyassigningthemtogroups,butitisalsopossibletoassign

Module 9: Securing Administration

Module 9: Securing Administration

Design an OU Structure to Support Delegation

Module 9: Securing Administration

Module 9: Securing Administration

Module 9: Securing Administration

Lab A: Delegate Administration

Module 9: Securing Administration

Module 9: Securing Administration

Logonbyusingthefollowingcredentials: Username:Pat.Coleman Password:Pa$$w0rd Domain:Contoso

OpenWindowsExplorerandthenbrowsetoD:\Labfiles\Lab09a. RunLab09a_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_AdminwiththepasswordPa$$w0rd.

Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab09a. Repeatsteps24for6425CNYCDC2.

Exercise 1: Delegate Permission to Create and Support User Accounts

Module 9: Securing Administration

Task 1: Create security groups for role-based management.

OnNYCDC2,runActiveDirectoryUsersandComputerswithadministrative credentials.UsetheaccountPat.Coleman_Adminwiththepassword Pa$$w0rd.

Module 9: Securing Administration

IntheGroups\RoleOU,createthefollowingrolegroups: HelpDesk(globalsecuritygroup) UserAccountAdmins(globalsecuritygroup)

Addthefollowingusers'administrativeaccountstotheHelpDeskgroup.Be carefulnottoaddtheusers'standard,nonprivilegedaccount. AaronM.Painter EllyNkya JulianPrice HollyDickson

Addthefollowingusers'administrativeaccountstotheUserAccountAdmins group.Becarefulnottoaddtheusers'standard,nonprivilegedaccount. PatColeman AprilMeyer MaxStevens

Module 9: Securing Administration

RightclicktheUserAccountsOUandthenclickDelegateControl.Delegateto theHelpDeskgroupthepermissiontoresetuserpasswordsandforceusersto changepasswordsatnextlogon.

Task 4: Validate the implementation of delegation.

CloseActiveDirectoryUsersandComputers. RunActiveDirectoryUsersandComputersasanadministrator,withthe usernameAaron.Painter_AdminandthepasswordPa$$w0rd.

Module 9: Securing Administration

ConfirmthatyoucannotdisableJeffFord'saccount. ConfirmthatyoucannotresetthepasswordforPatColeman(Admin)inthe AdminIdentitiesOU.

CloseActiveDirectoryUsersandComputers. RunActiveDirectoryUsersandComputersasanadministrator,withthe usernameApril.Meyer_AdminandthepasswordPa$$w0rd.