You don't have to perform daredevil stunts to maintain the security of your Windows 2000 Active Directory. The...
trick is performing a combination of a proper set up and daily monitoring. Sounds pretty simple, but it's just as simple as jumping the Grand Canyon on a moped.
While easier than landing on the other side of the Grand Canyon, complete Active Directory security is not a total piece of cake. You can lessen the burden, though.
To help you make the leap into an effective Active Directory security process, SearchWindowsManageability contacted Active Directory management expert Ratmir Timashev, CEO of Aelita Software, Powell, Ohio. Here are Timashev's dos and don'ts for Active Directory security management. Aelita makes Enterprise Directory Manager, a Windows 2000, Active Directory and Exchange 2000 administration product.
Don't think security in Active Directory comes automatically once you deploy it and install all the latest service packs and patches. "Security is a matter of day-to-day activities and proper AD design." This is the number one thing to keep in mind, Timashev said.
Do identify all the parts of the corporate network that need to be isolated. Secure them and make them separate forests, he said. Forests are collections of domains. "By default, a user or administrator in one forest cannot access another forest. That means the forest is a security boundary," Timashev explained.
Don't include users from other forests into any administrative groups of your forest, he said.
"Do set up security identification (SID) filtering on the inter-forests trusts," said Timashev.
Do set permissions and delegate administration on organizational unit (OU) and domain level, Timashev said. "The rights should be granted as granularly as possible. This will protect your directory from accidental damage by incorrect administrative activities."
Don't think granular domain and OU-level delegation is enough! "Only forests are real security boundaries that can protect from rogue administrators," said Timashev.
Do separate data administration from service administration, he said. "People who own data should set permissions on access. Service administrators take care of schema management, AD replication and other directory activities," Timashev concluded.
FOR MORE INFORMATION
We have over 30 Windows management do and don'ts here.