Educause Security Discussion mailing list archives
Re: Windows Domain Controllers: Risks involved
From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Fri, 13 Mar 2009 14:17:06 -0500
Hi- These are good questions - see my notes inline. Let me know if you have any questions. Thanks, Brian Desmond brian () briandesmond com c - 312.731.3132 Active Directory, 4th Ed - <http://www.briandesmond.com/ad4/> http://www.briandesmond.com/ad4/ Microsoft MVP - <https://mvp.support.microsoft.com/profile/Brian> https://mvp.support.microsoft.com/profile/Brian From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Marmina Abdel Malek Sent: Friday, March 13, 2009 5:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Windows Domain Controllers: Risks involved Dear All, I'm assessing the idea of implementing a campus wide domain controller to include faculty and staff computers, as well as student labs computers. I understand all the advantages of centralized management of all the campus computers, but I have some concerns that I would like to know how did you react to them: - Domain admins can access the files of any computer in the domain. How do you ensure the confidentiality and privacy of users and data? [Brian Desmond] This is a trust thing. I recommend to every customer both commercial and edu that they keep the number of domain admins <5 or so for their entire AD. This is very doable even in commercial orgs with 250K employees - I've done it many times. You can modify your image not to have domain admins in the local administrators group on every machine - this is just a default. I have worked with customers where they've changed this and it works fine. A determined domain admin can re-add themselves. For machines you're really concerned about setup some log collection or monitoring. These group add events are audited in Windows (as are turning the auditing off). - In you implementations, do you include the computers of the top management? [Brian Desmond] All the higher-ed customers I've done AD with do. - Do you give faculty and staff, high level access to install applications, or installation requests have be channeled to the domain admins? [Brian Desmond] I work really hard to prevent this. I also tend to see that the folks who run AD (your domain admins) are not the same folks doing desktop support. The AppLocker feature in Windows 7 actually looks really promising in this space. You may want to take a look at the datasheets/text on Microsoft's site for it. - Is there any tips, recommendations, or lessons learned on implementing a campus wide domain controller? [Brian Desmond] You'll want more than one DC, at least two. I don't know how big your campus is in terms of users/computers and applications which will leverage AD. You'll also probably need to fight the political battles over number of domains and number of DCs. Bottom line as far domains go you should be aiming for one domain total. There are /very/ few reasons anymore to have more than one domain. You should also aim to limit what privileges are delegated out from the first day so it's manageable. The most common problem I see with campus Active Directory implementations is that everyone has rights to make group policies and before you know it you have 1000 workstations and 500 Group Policy objects and more importantly nobody knows who owns most of those policies or what they do. If you have Software Assurance on Vista licenses, you can get the AGPM (Advanced Group Policy Management) stuff from the MDOP (Microsoft Desktop Optimization Pack) which can /really/ help in this space. Best Regards, Marmina Abdel-Malek IT Security Officer The American University in Cairo Tel : +202-2615-3561 Fax: +202-2795-6746 Email: marmina () aucegypt edu web: www.aucegypt.edu
Current thread:
- Windows Domain Controllers: Risks involved Marmina Abdel Malek (Mar 13)
- <Possible follow-ups>
- Re: Windows Domain Controllers: Risks involved Tupker, Mike (Mar 13)
- Re: Windows Domain Controllers: Risks involved F.M. Taylor (Mar 13)
- Re: Windows Domain Controllers: Risks involved John Kaftan (Mar 13)
- Re: Windows Domain Controllers: Risks involved Patrick P Murphy (Mar 13)
- Re: Windows Domain Controllers: Risks involved Miller, Don C. (Mar 13)
- Re: Windows Domain Controllers: Risks involved Miller, Don C. (Mar 13)
- Re: Windows Domain Controllers: Risks involved Chris Green (Mar 13)
- Re: Windows Domain Controllers: Risks involved Anand S Malwade (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Jason Testart (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Marmina Abdel Malek (Mar 13)
- Re: Windows Domain Controllers: Risks involved Brian Desmond (Mar 13)
- Re: Windows Domain Controllers: Risks involved Ryan S. Johnston (Mar 16)
- Re: Windows Domain Controllers: Risks involved David Gillett (Mar 17)