Security business requirement Security technical requirement Design forest Design domain Design OU

SingleMultiple Domain

Forest

ids.com

ce.ids.com it.ids.com

Once you decide to create single or multiple forest , next step is to determine how many domain you want in your organization

Designing Domain

Deploying Single Domain Deploying Multiple Domain

When simplicity in a forest is your goal than single domain is the best decision for an active directory design

Choosing single domain will have following effect in your active directory

It reduce management of forest , if forest have single domain , than domain admin is also a forest admin

It reduce number of require DCs , by deploying single domain you are reducing cost of hardware

It reduce the dependency on a global catalog server for authentication.

When authenticating in a native mode domain, the authenticating DC connects to a global catalog server to determine universal group membership for the authenticating security principal.

This is not required in a single domain environment because the authenticating DC knows about all objects in the forest.

It provides easier migration path to multiple domain Single domain – multiple easy Multiple – Single domain difficult

Because of several technical reasons you have to some time deploy multiple domains

Key reason is a requirement for differing account policies

Account policies can apply at domain level There is no way to implement varying

account policies in single domain

Password policy : define characteristics of password that may be used for authentication

Account lockout Policy : specify which action to be taken after number of failed logon attempt

Kerberos Policy : defines maximum ticket lifetime for authentication

Account policies must be defined carefully Don’t make too much restrictive otherwise

it can lead to increase help desk calls from users whose accounts have been locked out.

Restrictive password policies actually reduce network security in some case

Different area of organization can’t agree on same password policy , so different domain have different password policy

Password policies are ….

Enforce password history : prevent users to reusing same password, policy can have value between 0 and 24 passwords being remembered.

Maximum password age : defines how frequently password must change , policy can have value from 0(password will never expire) to 999 days

Minimum password age : defines how long newly password must exist before user change it

Minimum password Length Password Must Meet Complexity

Requirements : controls format of password entered by user ◦ UPPER CASE◦ lower case◦ 1234567890(numeric)◦ !@#$%^&* (symbols)◦ Password can’t contain users account name

Stores password using reversible encryption for all users in the domain :

The password is saved in this format after the user has changed the password for the first time after this policy is set.

Reversible encryption is used by IIS when configured to use digest authentication by dial-in user using CHAP

Account lockout duration : Values can be 0 to 99,999 minutes. If defines as 0 than admin has to manually unlock account

Account lockout threshold : defines how many incorrect logon attempt are allowed , values are 0 to 999 logon attempts.

Reset account lockout counter after : defines how frequently account example, if lockout counter is reset to zero. For this policy is defined as 30 minutes, the account lockout counter will be reset to a value of zero after a period of 30 minutes has passed since the last failed logon attempt.

The Kerberos policy defines settings for the Kerberos v5 authentication protocol.

These settings apply to all computers and users in the domain where the policy is defined. The Kerberos policy settings available in account policy include…

Enforce user logon restriction : it prevents a lockout account from acquiring any additional service ticket after account is locked Maximum lifetime of service tickets : how long service ticket can be stores in service ticket cache , after time out account will renew service ticket Maximum life time for user ticket : after exciding this value ticket will be discarded from cache maximum life time for user ticket renewal : once this period expires user have to get it from KDS Maximum tolerance for computer clock

synchronization- Defines how much a client computer’s clock can be out of sync with a server’s computer clock. If the clocks are out of sync by a period greater than this policy setting, the authentication will fail.

Differing account policies Replication issues : branch office is

connected to Main office via WAN link than ..

International Considerations : some countries require management to take place within a country where network is located

Political reasons

ids.com

ee.it.comit.ids.comce.ids.com

it.com

Three domains designFor ids

Two domain design for it