Re: Windows Domain Controllers: Risks involved

[Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>]

Hi-



These are good questions - see my notes inline.



Let me know if you have any questions.



Thanks,

Brian Desmond

brian () briandesmond com



c - 312.731.3132



Active Directory, 4th Ed -  <http://www.briandesmond.com/ad4/>
http://www.briandesmond.com/ad4/

Microsoft MVP -  <https://mvp.support.microsoft.com/profile/Brian>
https://mvp.support.microsoft.com/profile/Brian



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Marmina Abdel Malek
Sent: Friday, March 13, 2009 5:43 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Windows Domain Controllers: Risks involved



Dear All,

        I'm assessing the idea of implementing a campus wide domain
controller to include faculty and staff computers, as well as student labs
computers.



I understand all the advantages of centralized management of all the campus
computers, but I have some concerns that I would like to know how did you
react to them:



- Domain admins can access the files of any computer in the domain. How do
you ensure the confidentiality and privacy of users and data?

[Brian Desmond] This is a trust thing. I recommend to every customer both
commercial and edu that they keep the number of domain admins <5 or so for
their entire AD. This is very doable even in commercial orgs with 250K
employees - I've done it many times. You can modify your image not to have
domain admins in the local administrators group on every machine - this is
just a default. I have worked with customers where they've changed this and
it works fine. A determined domain admin can re-add themselves. For machines
you're really concerned about setup some log collection or monitoring. These
group add events are audited in Windows (as are turning the auditing off).



- In you implementations, do you include the computers of the top
management?

[Brian Desmond] All the higher-ed customers I've done AD with do.



- Do you give faculty and staff, high level access to install applications,
or installation requests have be channeled to the domain admins?

[Brian Desmond] I work really hard to prevent this. I also tend to see that
the folks who run AD (your domain admins) are not the same  folks doing
desktop support. The AppLocker feature in Windows 7 actually looks really
promising in this space. You may want to take a look at the datasheets/text
on Microsoft's site for it.



- Is there any tips, recommendations, or lessons learned on implementing a
campus wide domain controller?

[Brian Desmond] You'll want more than one DC, at least two. I don't know how
big your campus is in terms of users/computers and applications which will
leverage AD. You'll also probably need to fight the political battles over
number of domains and number of DCs. Bottom line as far domains go you
should be aiming for one domain total. There are /very/ few reasons anymore
to have more than one domain. You should also aim to limit what privileges
are delegated out from the first day so it's manageable. The most common
problem I see with campus Active Directory implementations is that everyone
has rights to make group policies and before you know it you have 1000
workstations and 500 Group Policy objects and more importantly nobody knows
who owns most of those policies or what they do. If you have Software
Assurance on Vista licenses, you can get the AGPM (Advanced Group Policy
Management) stuff from the MDOP (Microsoft Desktop Optimization Pack) which
can /really/ help in this space.


Best Regards,
Marmina Abdel-Malek
IT Security Officer
The American University in Cairo
Tel : +202-2615-3561
Fax: +202-2795-6746
Email: marmina () aucegypt edu
web: www.aucegypt.edu