A set of default properties is associated with each domain user account that you create. For domain user accounts, these account properties equate to object attributes. You can use the properties that you define for a domain user account to search for users in the directory, or the properties can be used in other applications as object attributes. For this reason, you should provide detailed definitions for each domain user account that you create. For example, if a user knows a person's last name and wants to find the person's telephone number, the user can use the last name to search for the telephone number.

The tabs in the Properties dialog box for a user, shown in Figure 7-5, contain information about each user account. Table 7-5 describes the tabs in the Properties dialog box.

Documents the user's first name, initials, last name, display name, description, office location, telephone number(s), e-mail address, and Web page(s)

Documents the user's street address, post office box, city, state or province, ZIP code or postal code, and country or region

Documents the user's account properties, including user logon name, logon hours, computers permitted to log on to, account options, and account expiration

Sets a profile path, logon script path, and home folder

Documents the user's home, pager, mobile, fax, and Internet Protocol (IP) telephone numbers, and contains space for notes

Documents the user's title, department, company, manager, and direct reports

Configures Terminal Services remote control settings Configures the Terminal Services user profile

Documents the COM+ partition set of which the user is a member

Documents the list of X. 509 certificates for the user account

Documents the groups to which the user belongs Documents the dial-in properties for the user Configures the Terminal Services startup environment

Sets the Terminal Services timeout and reconnection settings

Documents the fully qualified domain name (FQDN), object class, create and modified dates, the original update sequence number (USN), and the current USN Sets permissions on the user object

To seize an operations master role is to move it without the cooperation of its current owner. You seize an operations master role assignment when a server that is holding a role fails and you do not intend to restore it. The operations master role assignment is seized (reassigned) to a domain controller you select to act as a standby operations master. Some operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem. Generally, you will notice that a single master operations role holder is unavailable when you try to perform some function controlled by the particular operations master.

Before seizing the operations master role, determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be recovered and brought back online. You must also determine which domain controller can effectively serve as a standby operations master. In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again. The decision depends upon the role and how long the particular role holder will be unavailable. The impact of various role holder failures is discussed in the following topics.

The process for managing administrative risk is as follows:

1.      Recognize the vulnerabilities introduced by network administration.

2.      Establish security boundaries. Understanding the security boundaries provided by

the operating system is essential in determining the scope of authority that administrators have. In addition to understanding where these boundaries are, you must

also understand when to apply them. To do so, you need to know the key concepts of isolation and autonomy as they relate to service administration and data

administration.

3.      Reduce the administration attack surface. Reducing the attack surface is a sound

security design principle that can be applied to any part of your security design. If

you can reduce the number of things that can be attacked or the avenues that can

be used to attack them, the network will be more secure. Reducing the attack surface can take many forms, but one of the easiest things to do is to eliminate things

that are not needed. To reduce the ability of attackers to use administrative

accounts and channels to attack networks, reduce the number of things in total

that administrators must manage and reduce or partition the scope of their management by delegating authority. While these actions are also examples of least

privilege, they illustrate a reduction in the attack surface quite nicely. If the administrator's account were to be compromised, the attacker would have less ability to

do damage because the surface or range of things that can be attacked has been

reduced.

4.      Evaluate and carefully judge your administrators. The people who are trusted

"with the administration of your network must be trustworthy. Although you can

limit authority, every bit of authority can be used to destroy important parts of

your systems and data. In addition, at some point, someone must have absolute

authority to keep systems running, correct errors introduced by others, trouble-

shoot problems, and so on. Checking the backgrounds of potential administrators

and repeating the process periodically is crucial to the survival of your information

systems.

5.      Monitor and audit administrative work. Administrators are people: they make

mistakes, they have needs and desires, they face temptations, and they are as

likely to want to harm systems as any other employee. The difference is that

administrators have the power and authority to harm systems easily.  Often

because an administrator has unlimited privileges, an attacker with administrative

credentials or a malicious administrator can prevent operations from being audited

or can delete the audit record of his activity by deleting the security log.

The following topics provide the information and guidelines you need to complete most of these tasks.

Note Evaluating the trustworthiness of administrators is beyond the scope of this book, but it must be done. It is a topic for the legal and human resources departments of your organization to pursue. You can, however, protect your network from untrustworthy administrators by ensuring sound security principles are practiced, by designing an Active Directory infrastructure that meets your autonomy and isolation needs, and by auditing the actions of administrators. Auditing is discussed in Chapter 9.

Specifies attributes to be returned from search. This option is used only if the comparison option /t is set to FALSE. Valid option values are: LDAPattributes, which displays any LDAP attribute; ObjectCloss, which specifies that no attributes be displayed; auto, which specifies that only attributes replicated to the global catalog be displayed; and All, which specifies that all attributes con-tained in an object be displayed.

The user name to use for the query.

Password for authenticating the user name. Must be used with the /u parameter.

The domain to use for authenticating the user name. Must be used with the /u parameter.

Troubleshooting Active Directory Replication

Some of the common problems you might encounter with Active Directory replication include the following:

•       New users are not recognized.

•       Directory information is out-of-date.

•       Service requests are not handled in a timely fashion.

•       Domain controllers are unavailable.

Active Directory Replication Troubleshooting Scenarios

Table 5-5 describes some Active Directory replication troubleshooting scenarios. Table 5-5   Active Directory Replication Troubleshooting Scenarios

Cause

Solution

Problem Replication of directory information has stopped.

Create a site link from the current site to a site that is connected to the rest of the sites in the network.

The sites containing the clients and domain controllers are not connected by site links to domain controllers in other sites in the network, resulting in a failure to exchange directory information between sites.

Problem: Replication of directory information has slowed but not stopped.

Border controls are controls that sit at the junction between trusted and less trusted segments of a network. They can be firewalls, remote access servers, intrusion detection systems (IDSs), packet filtering routers, VPN servers, or a combination of these things that are located on a border between the internal private network and an external network such as the Internet, They can be the same controls used to protect gateways between geographically dispersed segments of a single organization's network or to link partner networks into an extranet. They can also be the same devices used to segment internal networks into areas of trust.

Note Most IT professionals are familiar with IDSs—security screening devices that alert the administrator to potential attacks on the network. Recently, a new type of device known as an intrusion protection system (IPS), which is built to react to and stop an attack without administrative intervention, has emerged on the market. These products detect attacks and can be programmed to respond to them. For example, the device might immediately block all traffic from the identified interloper. In addition, specific types of packets, such as those that are improperly formed (empty, inconsistent, too short, too long, arriving on the wrong ports, and so on) are dropped. Examples of these systems are Jasomi Networks' PeerPoint Intrusion Prevention System (http://www.jasomi.com/peerpointintrusion.html), Psynapse Technologies' Checkmate Intrusion Protection System (http://www.psynapsetech.com/.)

Some capabilities of these new products have been featured in firewalls and IDSs in the past. For example, some IPSs will proactively block data from an IP address or IP address range that appears to be being used in an attack. The difference with these products is the extent to which the product can and does go and the fact that the product is a separate device. The IPS idea is catching on—even the IDS manufacturers are now also touting new IPS features on their IDSs. Read about Cisco's efforts in this area at http://www.cisco.com/en/US /products/sw/secursw/ps2113/ and Internet Security System's efforts at http://www.iss.net /products_serw'ces/enterprise_protect/on/.

Firewall Considerations

Many types of firewalls are available. Most, such as Microsoft Internet Acceleration and Security server, start with the premise that all traffic should be blocked by default and require that the administrator configure access rules. Many provide additional services such as intrusion detection/protection and VPNs. Several issues reduce the effectiveness of firewalls as border controls:

After you have completed the preliminary tasks, you can perform the Active Directory backup using the Backup Or Restore Wizard. When you back up Active Directory, the Backup Or Restore Wizard automatically backs up all the system components and all the distributed services that Active Directory requires. Collectively, these components and services are known as system state data.

For Windows Server 2003, the system state data comprises the registry, COM+ Class Registration database, system boot files, files under Windows File Protection, and the Certificate Services database (if the server is a certificate server). If the server is a domain controller, Active Directory and the Sysvol directory are also contained in the system state data. When you choose to back up system state data, all of the system state data that is relevant to your computer is backed up; you cannot choose to back up individual components of the system state data. This is due to dependencies among the system state components. You can back up only the system state data on a local computer. You cannot back up the system state data on a remote computer.

To create an Active Directory backup, complete the following steps:

1.      Log on to your domain as Administrator, point to Start, point to All Programs, point

to Accessories, point to System Tools, and select Backup.

2.      On the Welcome To The Backup Or Restore Wizard page, click Next.

3.      On the Backup Or Restore page, shown in Figure 3-8, select Backup Files And Set¬

tings, and then click Next.

4. On the What To Back Up page, shown in Figure 3-9, select Let Me Choose What To Back Up, and then click Next.

5. On the Items To Back Up page, shown in Figure 3-10, expand the My Computer item, and then select System State. Click Next.

6. On the Backup Type, Destination, And Name page, shown in Figure 3-11, complete the following steps:

Q   Select Tape in the Select The Backup Type list if you are using tape; otherwise this option defaults to File.

Q In the Choose A Place To Save Your Backup list, choose the location where Windows Backup will store the data. If you are saving to a tape, select the tape name. If you are saving to a file, browse to the path for the backup file location.

Q In the Type A Name For This Backup box, enter a name for the backup you are going to do.

a   Click Next.

7.      On the Completing The Backup Or Restore Wizard page, click Advanced.

8.      On the Type Of Backup page, shown in Figure 3-12, select Normal as the backup

type used for this backup job. Normal is the only backup type supported by Active

Directory. If the Hierarchical Storage Manager (HSM) has moved data to remote

storage and you want to back it up, select the Backup Migrated Remote Storage

Data check box. Click Next.

9. On the How To Back Up page, shown in Figure 3-13, select the Verify Data After Backup check box. This option causes the backup process to take longer but it confirms that files are correctly backed up. If you are using a tape device and it supports hardware compression, select the Use Hardware Compression, If Available check box to enable hardware compression. It's recommended that you do not select the Disable Volume Shadow Copy check box. By default, Backup creates a volume shadow copy of your data to create an accurate copy of the contents of the hard drive, including open files or files in use by the system. Click Next.

10. On the Backup Options page, shown in Figure 3-14, select the Replace The Existing Backups option, then select the Allow Only The Owner And The Administrator Access To The Backup Data And To Any Backups Appended To This Medium check box. This action saves only the most recent copy of Active Directory and allows you to restrict who can gain access to the completed backup file or tape. Click Next.

Backup Options

11.on the when to back up page, shown in figure-3-15,select now. click next.

12. On the Completing The Backup Or Restore Wizard page, click Finish to start the backup operation.

13- The Backup Progress window shows the progress of the backup.

14. When the backup operation is complete, the Backup Progress window, shown in Figure 3-16, shows that the backup is complete. You can click the Report button to see a report about the backup operation, as shown in Figure 3-17. The report is stored on the hard disk of the computer on which you are running the backup.

15- Close the report when you have finished viewing it and then click Close to close the backup operation.

A maximum of three replication hops between domain controllers, due to the addition of connection objects by the KCC

Intersite Replication To ensure replication between sites, you must connect them manually by creating site links. Site links represent network connections and allow replication to occur. A single KCC per site generates all connections between sites. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance, as shown in Figure 1-12.

You provide information about the replication transport used, cost of a site link, times when the link is available for use, and how often the link should be used. Active Directory uses this information to determine -which site link is used to replicate information. Customizing replication schedules so replication occurs during specific times, such as 'when network traffic is light, makes replication more efficient.

As an administrator, you must configure sites and replication to ensure that the most up-to-date information is available to users. Replication and site link configuration are discussed in more detail in Chapter 5, "Cpnfiguring Sites and Managing Replication."

The security designer must analyze the situation and understand the limitations imposed by factors such as legacy infrastructure, currently installed software, and the interoperability requirements. If she does not, she will not produce a workable design and may even promote one that reduces, instead of increases, security on the network.

After this lesson, you will be able to

•      Identify capabilities of legacy infrastructure and integrate them into the design.

•      Identify technology limitations.

•      Analyze interoperability constraints.

Estimated lesson time: 30 minutes

Guidelines for Integrating Legacy Infrastructure in Security Designs

Very few security designers get to pick and choose hardware, operating system software, security devices, and processes from scratch. Instead, they must make sure that security designs consider legacy computers, operating systems, network devices, or other infrastructure components. These considerations are often a large part of security design work. This section describes what a legacy system is and then provides guidelines for integrating legacy infrastructure in security designs.

What Is a Legacy System?

A legacy system is any infrastructure component such as hardware, operating system software, network device, or application that is technically out of date. Often legacy systems cannot be replaced either because they still provide a service, they provide a service that cannot be provided by another system, funds do not exist to bring them up to date, or there is no compelling reason to bring them up to date. Legacy systems can be old technologies that preceded recent versions of the software or operating system—for example, older versions of Windows or a version of an application that is no longer supported. Many capabilities and constraints introduced by non-Windows systems are discussed in the "Guidelines for Analyzing Interoperability Constraints" section later in this lesson.

Integration Guidelines

To successfully integrate legacy systems into your security design, you must recognize their capabilities and then work within those constraints. Use these guidelines to integrate legacy systems into security designs:

•      Do not compromise the security of these systems.    The security of these sys¬

tems must not be compromised when you add new systems. For example, when

Linux or Windows operating systems are run on mainframe systems, care should

be taken to make sure that security on the mainframe is not reduced. Adding new

software adds new vulnerabilities, which must be mitigated. Another example is

that adding new applications might require opening new ports on a firewall, ports

that might be used to attack legacy systems.

•      Recognize that the accommodation of legacy system capabilities could

mean full compliance with security policy and directives might not be

accomplished.    For example, if a system is not capable of using 10-character

passwords, you cannot fulfill that criteria of a security policy or design.

•       Increase the security of legacy systems by incorporating, wherever possible, any changes that can make them more secure.    Upgrades or the installation of new utilities might provide this extra security.

Note    When can legacy systems be eliminated because of security concerns? It is not up to the designer to determine the end of the life cycle for legacy systems, but the' designer can report the inability to fulfill mandated security policy because of the limitations of these systems and recommend a solution. Management must then make the decision about when and where legacy systems should be eliminated. The designer can also recommend legacy sys-tem placement or use so as to mitigate the risk of its use.

Each legacy system difference must be examined to determine where these systems will either cause a change in the configuration in Windows Server 2003 (and possibly reduce the level of security), require an alternative security solution, require an upgrade to services, or require removal of the legacy system before security policy can be met. The security designer's goal, is, as always, to provide the best, most secure solution while being mindful of the constraints and the need to support business requirements.

How a Legacy System Can Be Integrated into a Security Design

An example of a legacy system issue is LAN Manager (LM) authentication. Windows 98 systems cannot natively use Windows NT LAN Manager (NTLM) for authentication; instead they use its predecessor, LM, Windows Server 2003 systems eliminate, by default, the use of LM, The security design decision might then be to reconfigure Windows Server 2003 to allow the use of LM or install the Active Directory directory service client on Windows 98 systems and configure them to use NTLM

If the design decision is based only on immediate financial cost, the choice will be to allow the use of LM, which will greatly reduce the security of the forest. It will take money, in the form of administrative time, to implement the client and configure the systems. However, this will result in better security. The necessary configuration can be automated, which will reduce its cost. The benefits of maintaining security are sometimes difficult to quantify, but in this case, there are many ways the security team can make the point. One way would be by using cracking tools on a test system that uses LM and on one that does not. Doing this would show how quickly the LM database passwords can be cracked in comparison to those on the system where LM is not used. Care should be taken to make sure this test, which takes very little time to set up, is done on a test system and that no real passwords are exposed.

Considerations for Identifying Technology Limitations

Every system has its technology limitations—factors that restrict what can ancl cannot be done. When these limitations affect a security operation, the security design must account for them. To identify technology limitations, you must consider:

•       Existing hardware limitations.    If an operating system upgrade is required,

can the existing hardware meet minimum requirements of the proposed operating

system? Will security services put additional demands on the hardware? Can the

hardware be upgraded or replaced?

•       Existing operation system limitations.    If the operating system cannot be

upgraded, what part of the security policy or security design cannot be met?

•       Existing software constraints.    Does existing application software  impose

requirements, such as administrative access, to run or require that specific hard¬

ware be installed?

•       Existing legal requirements such as FIPS.    The Federal Information Processing Standard (FIPS) is mandated for some U.S. government operations. This standard specifies cryptographic algorithms and other security-related processing functions. Meeting these standards might require special software, certain cryptographic algorithms, and security devices such as Fortezza carets.