8. Administering Active Directory Security with Group Policy
**********************
The foundations of Active Directory security are Security groups, access control and delegation of control.
Delegation of control is implemented by using the Delegation of Control Wizard to automate and simplify the process of setting administrative permissions for a domain, OU, or container.
**********************
Active Directory Security Provided by Group Policy
There are three areas within Group Policy that handle Active Directory Security. They are security settings, auditing and security logging, and security configuration and analysis.
**********************
Security Settings
The following security areas are configurable for a nonlocal GPO from the Security Settings extension of the Group Policy Object Editor console:
Account Policies
Local Policies
Event Log
Restricted Groups
System Services
Registry
File System
Wireless Network (IEEE 802.11) Policies
Public Key Policies
A public key infrastructure (PKI) is a system of laws, policies, standards, and software that verify and authenticate the validity of each party involved in an electronic transaction.
Software Restriction Policies
IP Security Policies
Auditing and Security Logging
**********************
Auditing in Windows Server 2003 is the process of tracking both user activities and system activities, called events, on a computer.
**********************
Security Configuration and Analysis
The Security Configuration and Analysis feature offers the ability to compare the security settings of a computer to a security template, view the results, and resolve any discrepancies revealed by the analysis.
**********************
Implementing Software Restriction Policies
Software restriction policies run on one of two default security levels: Unrestricted and Disallowed.
**********************
Audit Policy
You determine the events you want to audit by setting up an audit policy in a GPO.
You set the Audit Policy settings in the Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy extension in a GPO.
Auditing is turned off by default.
**********************
The Security Log
You use the Event Viewer console to view information contained in Windows Server 2003 logs.
By default, there are three logs available to view in the Event Viewer console:
The application log
The System log
The Security log
Security logging is turned off by default. To enable security logging, you must set up an audit policy in a GPO at the appropriate level.
**********************
Security Templates
Security templates are text files that contain numerous policy settings pertaining to computer security within the Security Settings namespace of a Group Policy Object (GPO).
Predefined Security Templates
Each security policy template has a default set of categories:
Account Policy: three subcategories: Password Policy, Account Lockout Policy, Kerberos Policy
Ticket Granting Tickets (TGTs), Service Tickets (STs)
**********************
Local Policy: three subcategories: Audit Policy, User Rights Assignment, and Security Options
Event Log
Restricted Groups
System Services
Registry
File System, which defines discretionary access control list (DACL) and system access control list (SACL)
**********************
Default Security Templates
There are two default security templates in Windows Server 2003: Setup security.inf and DC security.inf
Setup security.inf can be used on servers and client computers but not on domain controllers.
The DC security.inf template is created when a Windows Server 2003 computer is promoted to a domain controller.
You can reapply the DC security.inf template using the Security Configuration and Analysis snap-in or the Secedit command-line tool.
Backward Compatible Security Templates
The compatws.inf security template is designed to provide backward compatibility with pre-Windows 2000 operating systems such as Windows NT 4.0 and Windows 98.
**********************
Managing Security Templates
In addition to the Security Templates snap-in, Windows Server 2003 provides three other tools, which you can use to manage security templates. These are the Security Configuration and Analysis snap-in; the Group Policy Object Editor; and the SecEdit.exe command-line utility.
You cannot use SecEdit to modify or export a template file.
Enforcing Default Security Settings on New Computers
You can view and modify the group policies of domains, sites, and OUs using the Active Directory Sites and Services console to access the group policy configuration of a site, and the Active Directory Users and Computers console to access the group policy configuration of a domain and OU.
**********************
Managing Active Directory Performance
Monitoring Performance
By default, there are three logs available to view in Event Viewer: the application log, the security log, and the system log.
If you experience problems with Active Directory, use the directory service log first to locate the causes of the problem.
The file replication service log contains errors, warnings, and information generated by FRS.
**********************
System Monitor
System Monitor is a tool that supports detailed monitoring of the use of operating system resources.
Performance objects and Performance Counters
A performance object is a logical collection of performance counters that is associated with a resource or service that can be monitored.
A performance counter is a data item associated with a performance object.
To monitor Active Directory, you monitor the activity of the NT Directory Services (NTDS) performance object.
To monitor FRS, you monitor the activity of the FileReplicaConn and FileReplicaSet performance objects.
**********************
Managing Active Directory Performance from the Command Line
In addition to using the Performance console, you can use the following command-line utilities to monitor and manage Active Directory Performance.
The Logman command
The Perfmon command
The Relog command: text-TSV (tab-delimited text), text-CSV (comma-delimited text)
The Tracerpt command
The Trpeperf command
The Lodctr command
The Unlodctr command
**********************
Optimizing and Troubleshooting Active Directory Performance
The directory service log in the Event Viewer console contains basic errors, warnings, and information generated by Active Directory.
**********************
Establishing a Baseline
A baseline is a measurement derived from the collection of data over an extended period during varying workloads and user connections, representing acceptable performance under typical operating conditions.
