Active Directory Security

This article will give you information about Active Directory Security features.

Active Directory (sometimes referred as AD) is the terminology associated with Microsoft desktops and also servers. These are originally developed in 1996 and first implemented in a Windows 2000 machine. In brief, Active Directory is a hierarchical directory structure which can be used to store data and information about the Networks and Domains.

The concept of Active Directory Security is completely different from the NT4 SAM security. Some of the new Security Features supported by Active Directory includes ACL inheritance, extended right sets (groups of many attributes), atomic (or special) permissions, etc. The concept of Access Control has never been easy and hence one needs to clearly understand the concept of Access Control to master the Active Directory's security model.

Significant number of various objects constitutes the Active Directory. The security principal accounts are one amongst. A Security principal account is a Active Directory object which is assigned a unique SID (Security Identifiers). This SID is used in authentication and Active Directory security. The SID can be used to identify the user or group or even a computer. By granting permissions or denying permissions to the security principal accounts, we can control the access to Active Directory objects.

While planning for a Active Directory Security, enough care to be taken in identifying various types of threats including Spoofing, Repudiation, Data Tampering, Information Disclosure, DoS (Denial of Service), Elevation of Privilege, Social Engineering, etc. In addition to that, Anonymous Users, Authenticated Users, Service Administrators, Data Administrators, Users with Physical Access must also be tracked closely to identify the source of threat. It is also advisable to stay up-to-date with Security Hotfixes and SP (Service Packs).

Inheritance is one of the OOP (Object Oriented Programming) concepts. In Active Directory's Access Control, permissions can be inherited which is called as Inherited Permission i.e., when a Access Control List (ACL) is set on a parent object, it is also applicable to the child object. This Inherited Permission functionality is very useful; however there are many implications in understanding how exactly has Microsoft implemented this feature in Active Directories.

Active Directory's Permission Inheritance is based on the static inheritance and not dynamic. In static inheritance, the inherited ACL will be copied to each and every child object. While, in case of dynamic inheritance, the changes will never be copied to it's child or subordinate objects. Yet, whenever a user tries to access an object, that object's ACL and every parent container should be checked.

Some of the best practices of Active Directory Security are usage of Active Directory Integrated zones whenever possible, consider using forwarders instead of secondary ones, ensure that the Domain Controllers are highly restricted, maintain revised and stabilized password policies, account lockout, Regular Monitor for unexpected query loads, Data Center outages, Disk space usage, DNS request traffic, etc and practice a formalized change management.