The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to purchase, check out the complete book excerpt series or go straight to the practice exam if you think you're ready to be tested.
Designing a permission structure for directory service objects
Windows Server 2003 servers are flexible in regard to the assignment of permissions for Active Directory objects. As I said before, every object is controllable as to what it can do to other objects and what other objects can do to it. Microsoft recommends best practices when assigning permissions to Active Directory objects. These best practices focus on the strengths of the system and are designed to provide the greatest security with the least effort. You need to be familiar with the following best practices for directory service access permissions:
Avoid taking away the default permissions: Leave the default permissions in place and add to them, if necessary. Taking away default permissions can cause unexpected results.
When delegating control, avoid granting full control: If you give a user full control, she can undo the configuration that you have carefully put into place. Instead, give her the minimum permissions that she needs to perform the tasks that you have assigned her.
Remember the inheritance property and use it to your advantage: If you allow a user to control a container and everything within it, he also has control of anything within the containers that are within it. Each object, therefore, receives an ACE. The processing of all of the ACEs can eventually have a detrimental effect on network performance. Whenever possible, use the apply onto option (in advanced settings of permissions) to control inheritance and to minimize the number of ACEs that apply to child objects.
When possible, assign the same set of permissions to multiple objects: When multiple objects have identical access, the servers need to store only one instance of the ACL and can apply it to the multiple objects. If you change one thing about an ACL, you create a new ACL.
Assign the rights on the broadest level possible without overassigning the rights: For example, use create all child objects or delete all child objects rather than specifying all of the object types.
Delegate permissions to groups rather than to individuals: Use the A G U DL P principle and assign the permissions to a group, and then make the user a member of the group.
Click for the next excerpt in this series: Designing an access control strategy for files and folders
Click for the book excerpt series or purchase the book here.