Auditing Microsoft Active Directory Eric Dugger Network Services

Auditing Microsoft Active Directory Eric Dugger Network Services Manager Nevada Legislature

What is Active Directory A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. Resources – Computers & Printers Services – E-Mail, Policies, DNS, etc. Users – Accounts and security groups

Primary Items of Importance Business Continuity • Is Active Directory backed up? • Are there multiple Domain Controllers? Security • Who has access to change Active Directory? • What settings in Active Directory affect security? (passwords, etc. ) Policies • What environment is created from AD Polices?

Business Continuity Active Directory Backups – Critical Data • How often? • Where are they stored? see Backing up an Active Directory Server doc Multiple Domain Controllers • Should have the global catalog show where in Sites and Services

Questions

Active Directory Security Who can access Active Directory? What can they change? Is auditing turned on for Active Directory?

Access to Active Directory Boundaries Physical Security Domain Forests & Trusts

Permissions to Change AD Groups of Interest Enterprise Admins Schema Admins Administrators Domain Admins Server Operators Account Operators Backup Operators DS Restore Mode Administrator

Questions

Group Policy in Microsoft Windows Active Directory

What is Active Directory Group Policy? o The Group Policy management solution in Microsoft® Windows Server™ 2003 allows administrators to define configurations for both servers and user machines. Local policy settings can be applied to all machines, and for those that are part of a domain, an administrator can use Group Policy to set policies that apply across a given site, domain, or range of organizational units (OUs) in the Active Directory® directory service. Support for Group Policy is available on machines running Microsoft Windows 2000 Server, Microsoft Windows 2000 Professional, Microsoft Windows® XP Professional, and Windows Server 2003.

Overview o Control Internet Explorer Settings o Control Computer/User Settings o Software Distribution o Windows Updates o Much, Much More…. .

Getting Started o Windows 2003 Active Directory o Group Policy Manager Plug-in

Creating a Policy Create and Link GPO Choose an Organizational Unit

Assigning a Policy Policies Linked Policies Inherited Delegation to this OU of

Defining Internet Explorer o Control the Functionality of IE n n n Plug-Ins Menus Empty Temp Folder o Control the Security of IE n n n Active X. NET Block Sites

Configuring an IE Policy o Define your Zones n n Internet Intranet Trusted Restricted o Define your Settings o Apply Policy to an OU ZONES 1 – Intranet 2 – Trusted 3 – Internet 4 - Restricted

Control User/Computer Settings o Configure the Desktop n Hide icons/menus n Dictate wallpaper o Control Software Installation or Use n Prohibit software from being installed or uninstalled n Prohibit software from being run o Lockdown Administrator Functions n Network or security settings o Configure Windows Firewall

Configure a Desktop Policy

Software Distribution o Automatically Install Software at Logon o Publish Software o Remove Software o Update Software

Configure a Software Install Policy o Install a Software Package on Logon n The software will be installed when the user logs on o Publish a Software Package n The software will be available through “Add/Remove Programs” o Redeploy a Software Package Install Path to MSI File n The package will be redeployed (Update or New Version) o Uninstall a Software Package n The software will be removed

Managing Windows Updates o Create a policy to use the Windows Update Services server n n Assign WSUS Server Assign WSUS Groups o Install and Configure WSUS

Windows System Update Server o Updates for Windows, Office, Exchange Server, and o o o SQL Server, with additional product support over time Automatic download of specific updates Automated actions for updates, determined by administrator approval Ability to determine the applicability of updates before installing them Targeting Reporting

How WSUS Works Downloads selected updates to central update server Release updates to specified groups Report on status of updates

Computer Name Operating System Last Status Computer Group Report

Install Detect only Not Approved Update Name Update Type Release Date Approval

Reporting Computer Name Status Type Update Title Installed Not Needed Failed Updated Needed Unknown. Last

Questions

Tools GPResult Admx Group Policy Manager

True Last Logon http: //www. dovestones. com/products/True_Last_Logon. asp

What AD Policies am I getting? GPRESULT Open a command window Type gpresult

Export Group Policy Settings Adm. X. exe: ADM File Parser Category The ADM File Parser (Adm. X) is a command-line tool that enables an administrator to export Group Policy settings to a tab-delimited text file. The administrator can then use the text produced by ADM File Parser (Adm. X) to find changes for the policy settings between different versions of the operating systems. Adm. X is for use only with policies based on administrative templates. Version compatibility The Adm. X. exe tool runs on Windows 2000, Windows Server 2003, and Windows XP Professional. Adm. X. exe also requires the Microsoft. NET Framework 1. 0.

Group Policy Manager

Questions