Article

Securing Active Directory dos & don'ts

Meredith B. Derby, assistant news editor

You don't have to perform daredevil stunts to maintain the security of your Windows 2000 Active Directory. The trick is performing a combination of a proper set up and daily monitoring. Sounds pretty simple, but it's just as simple as jumping the Grand Canyon on a moped.

While easier than landing on the other side of the Grand Canyon, complete Active Directory security is not a total piece of cake. You can lessen the burden, though.

To help you make the leap into an effective Active Directory security process, SearchWindowsManageability contacted Active Directory management expert Ratmir Timashev, CEO of Aelita Software, Powell, Ohio. Here are Timashev's dos and don'ts for Active Directory security management. Aelita makes Enterprise Directory Manager, a Windows 2000, Active Directory and Exchange 2000 administration product.

Don't think security in Active Directory comes automatically once you deploy it and install all the latest service packs and patches. "Security is a matter of day-to-day activities and proper AD design." This is the number one thing to keep in mind, Timashev said.

Do identify all the parts of the corporate network that need to be isolated. Secure them and make them separate forests, he said. Forests are collections of domains. "By default, a user or administrator in one forest cannot access another forest. That means the forest is a security boundary," Timashev explained.

Don't include

    Requires Free Membership to View

users from other forests into any administrative groups of your forest, he said.

"Do set up security identification (SID) filtering on the inter-forests trusts," said Timashev.

Do set permissions and delegate administration on organizational unit (OU) and domain level, Timashev said. "The rights should be granted as granularly as possible. This will protect your directory from accidental damage by incorrect administrative activities."

Don't think granular domain and OU-level delegation is enough! "Only forests are real security boundaries that can protect from rogue administrators," said Timashev.

Do separate data administration from service administration, he said. "People who own data should set permissions on access. Service administrators take care of schema management, AD replication and other directory activities," Timashev concluded.

FOR MORE INFORMATION

We have over 30 Windows management do and don'ts here.

Don't fear the (Active) directory


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: