Providing Security for Domains
Now that we have a good understanding of Active Directory, the infrastructure components, default security, and how to apply security, we are going to investigate each component individually, including how to provide security for it. We start with the domain. The domain has many areas that need to be secured to ensure that an attacker has few areas to focus on. Some of these focus areas could fall under domain controllers, since the objects are stored there, but these are really domainwide considerations, not just domain controller considerations.
Users, Groups, and Computers
As we have seen in earlier chapters, the SID is the mechanism used by the operating system to control and manage the security principals. Remember, the security principals include user, group, and computer accounts. You will want to protect all security principals above all other objects, because it is the security principals that are given access to resources. If an attacker can access a resource as an account that has elevated privileges or administrative privileges, there is almost no way to stop him from doing as he pleases with that resource.
The following simple rules will help you protect user, group, and computer accounts.
Clean up stale accounts
If an account (especially a user or computer account) has not been used in a while, be sure to have a process to remove it from the Active Directory. The new feature to run Saved Queries in the Active Directory will help you quickly ...
Get Securing Windows Server 2003 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.