Auditing Microsoft Active Directory

Eric Dugger

Network Services Manager

Nevada Legislature

What is Active Directory

A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments.

Resources – Computers & Printers

Services – E-Mail, Policies, DNS, etc.

Users – Accounts and security groups

Primary Items of Importance

Business Continuity •Is Active Directory backed up?•Are there multiple Domain Controllers?

Security•Who has access to change Active Directory?•What settings in Active Directory affect security? (passwords, etc.)

Policies•What environment is created from AD Polices?

Business Continuity

Active Directory Backups – Critical Data•How often?•Where are they stored?see Backing up an Active Directory Server doc

Multiple Domain Controllers•Should have the global catalogshow where in Sites and Services

Questions

Active Directory Security

Who can access Active Directory?

What can they change?

Is auditing turned on for Active Directory?

Access to Active Directory

Active Directory Boundaries

Physical Security

Domain Forests & Trusts

Permissions to Change AD

Enterprise AdminsSchema AdminsAdministratorsDomain AdminsServer OperatorsAccount OperatorsBackup OperatorsDS Restore Mode Administrator

Groups of Interest

Questions

Group Policyin Microsoft Windows Active Directory

What is Active Directory Group Policy?

The Group Policy management solution in Microsoft® Windows Server™ 2003 allows administrators to define configurations for both servers and user machines. Local policy settings can be applied to all machines, and for those that are part of a domain, an administrator can use Group Policy to set policies that apply across a given site, domain, or range of organizational units (OUs) in the Active Directory® directory service. Support for Group Policy is available on machines running Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional, Microsoft Windows® XP Professional, and Windows Server 2003.

Overview

Control Internet Explorer Settings Control Computer/User Settings Software Distribution Windows Updates Much, Much More…..

Getting Started

Windows 2003 Active Directory

Group Policy Manager Plug-in

Creating a Policy

Choose an Organizational Unit

Create and Link GPO

Assigning a Policy

Policies Linked to this OU

Policies Inherited to this OU

Delegation of this OU

Defining Internet Explorer

Control the Functionality of IE Plug-Ins Menus Empty Temp Folder

Control the Security of IE Active X .NET Block Sites

Configuring an IE Policy

Define your Zones Internet Intranet Trusted Restricted

Define your Settings Apply Policy to an OU

ZONES

1 – Intranet

2 – Trusted

3 – Internet

4 - Restricted

Control User/Computer Settings Configure the Desktop

Hide icons/menus Dictate wallpaper

Control Software Installation or Use Prohibit software from being installed or uninstalled Prohibit software from being run

Lockdown Administrator Functions Network or security settings

Configure Windows Firewall

Configure a Desktop Policy

Software Distribution

Automatically Install Software at Logon Publish Software Remove Software Update Software

Configure a Software Install Policy

Install a Software Package on Logon The software will be installed when the user logs

on Publish a Software Package

The software will be available through “Add/Remove Programs”

Redeploy a Software Package The package will be redeployed (Update or New

Version) Uninstall a Software Package

The software will be removed

Install Path to MSI File

Managing Windows Updates

Create a policy to use the Windows Update Services server Assign WSUS Server Assign WSUS Groups

Install and Configure WSUS

Windows System Update Server

Updates for Windows, Office, Exchange Server, and SQL Server, with additional product support over time

Automatic download of specific updates Automated actions for updates, determined by

administrator approval Ability to determine the applicability of updates before

installing them Targeting Reporting

How WSUS Works

Downloads selected updates to central update server

Release updates to specified groups

Report on status of updates

Computer Name Operating SystemLast Status ReportComputer Group

Update Name Update TypeRelease DateApproval

Install

Detect only

Not Approved

ReportingComputer Name

Status Type

InstalledNeededNot NeededUnknownFailedLast Updated

Update Title

Questions

Tools

GPResultAdmxGroup Policy Manager

True Last Logonhttp://www.dovestones.com/products/True_Last_Logon.asp

What AD Policies am I getting?

Open a command windowType gpresult

GPRESULT

Export Group Policy Settings

AdmX.exe: ADM File ParserCategoryThe ADM File Parser (AdmX) is a command-line tool that enables an administrator to export Group Policy settings to a tab-delimited text file. The administrator can then use the text produced by ADM File Parser (AdmX) to find changes for the policy settings between different versions of the operating systems. AdmX is for use only with policies based on administrative templates.

Version compatibilityThe AdmX.exe tool runs on Windows 2000, Windows Server 2003, and Windows XP Professional. AdmX.exe also requires the Microsoft .NET Framework 1.0.

Group Policy Manager

Questions