Securing Active Directory Administrative Groups and Accounts

  • View
    216

  • Download
    0

Embed Size (px)

Text of Securing Active Directory Administrative Groups and Accounts

  • 7/30/2019 Securing Active Directory Administrative Groups and Accounts

    1/27

    Securing Active Directory Administrative

    Groups and Accounts

    55 out of 66 rated this helpful -Rate this topic

    On This Page

    Introduction

    Before You Begin

    Creating a New User Account with Domain Admins CredentialsProtecting the Administrator Account

    Securing the Guest Account

    Strengthening Security on Service Administration Accounts and Groups

    Establishing Best Practices for Use of Administrative Accounts and GroupsRelated Information

    Introduction

    An important part of securing your network is managing the users and groups that have

    administrative access to the Active Directory directory service. Malicious individuals who obtain

    administrative access to Active Directory domain controllers can breach the security of yournetwork. These individuals might be unauthorized users who have obtained administrative

    passwords, or they might be legitimate administrators who are coerced or disgruntled.

    Furthermore, not all problems are caused with malicious intent. A user who is grantedadministrative access might also inadvertently cause problems by failing to understand the

    ramifications of configuration changes. For these reasons, it is important to carefully manage theusers and groups that have administrative control over domain controllers.

    The default Microsoft Windows Server 2003 security settings are sufficient to secure Active

    Directory accounts against many types of threats. However, some default settings foradministrative accounts can be strengthened to enhance the level of security of your network.

    This guide contains step-by-step instructions that show you how to:

    Create a new user account with Domain Admins credentials Protect the default Administrator account Secure the Guest account Strengthen security on service administration accounts and groups Establish best practices for use of administrative accounts and groups.

    Use the best practices described in this guide as you manage your network. This will help reduce

    the risk of unauthorized users gaining administrative access to Active Directory, and maliciouslyor accidentally damaging your organization by copying or deleting confidential data or by

    disabling your network.

    http://technet.microsoft.com/en-us/library/cc700835.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700835.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700835.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection121121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection121121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection128121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection127121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection126121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection125121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection124121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection123121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection122121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#XSLTsection121121120120http://technet.microsoft.com/en-us/library/cc700835.aspx#feedback
  • 7/30/2019 Securing Active Directory Administrative Groups and Accounts

    2/27

    IMPORTANT: All the step-by-step instructions included in this document were developed by

    using the Start menu that appears by default when you install your operating system. If you have

    modified your Start menu, the steps might differ slightly.

    Top Of Page

    Before You Begin

    Before using this guide to secure your administrative groups and accounts, first complete thetasks in "Securing Windows Server 2003 Domain Controllers" in the Security Guidance Kit.

    In order to complete the procedures provided in this guide, you must know the name andpassword of the built-in administrator account, or the name and password of an account that is a

    member of the built-in Administrators group on your domain controllers. Determine which

    server (or servers) on your network are running as domain controllers. A domain controller is a

    server running Windows Server 2003 on which Active Directory is installed.

    Before you begin, you must understand these administrative accounts and groups and howadministrative responsibility is shared by service administrators and data administrators. To view

    and manage Active Directory accounts and groups, clickStart, then select AdministrativeTools, and then clickActive Directory Users and Computers.

    Understanding Administrative Accounts and Groups

    Administrative accounts in an Active Directory domain include:

    The Administrator account, which is created when Active Directory is installed on thefirst domain controller in the domain. This is the most powerful account in the domain.The person who installs Active Directory on the computer creates the password for this

    account during installation. Any accounts that you later create and either place in a group that has administrative

    privileges or directly assign administrative privileges.

    Administrative groups in an Active Directory domain vary depending on the services that you

    have installed in your domain. Those used specifically for administering Active Directory

    include:

    Administrative groups that are automatically created in the Builtin container.

    Administrative groups that are automatically created in the Users container. Any groups that you later create and either place in another group that has administrative

    privileges or directly assign administrative privileges.

    Understanding Service Administrators and Data Administrators

    For Active Directory in Windows Server 2003, there are two types of administrativeresponsibility. Service administrators are responsible for maintaining and delivering the directory

    http://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700835.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc700835.aspx#mainSection
  • 7/30/2019 Securing Active Directory Administrative Groups and Accounts

    3/27

    service, including domain controller management and directory service configuration. Data

    administrators are responsible for maintaining the data that is stored in the directory service and

    on domain member servers and workstations.

    In a small organization, these two roles might be performed by the same person, but it is

    important to understand which default accounts and groups are service administrators. Serviceadministration accounts and groups have the most widespread power in your network

    environment and require the most protection. They are responsible for directory-wide settings,

    installation and maintenance of software, and application of operating system service packs andupdates on domain controllers.

    The following table lists the default groups and accounts that are used for service administration,their default locations, and a brief description of each. Groups in the Builtin container cannot be

    moved to another location.

    Default Service Administrator Groups and Accounts

    Group or

    Account Name

    Default

    LocationDescription

    Enterprise

    Admins

    Users

    container

    This group is automatically added to the Administrators group in

    every domain in the forest, providing complete access to theconfiguration of all domain controllers.

    Schema AdminsUsers

    container

    This group has full administrative access to the Active Directory

    schema.

    AdministratorsBuiltincontainer

    This group has complete control over all domain controllers and

    all directory content stored in the domain, and it can change themembership of all administrative groups in the domain. It is the

    most powerful service administrative group.

    Domain AdminsUserscontainer

    This group is automatically added to the correspondingAdministrators group in every domain in the forest. It has

    complete control over all domain controllers and all directory

    content stored in the domain and it can modify the membership

    of all administrative accounts in the domain.

    Server OperatorsBuiltincontainer

    By default, this built-in group has no members. It can perform

    maintenance tasks, such as backup and restore, on domain

    controllers.

    AccountOperators

    Builtincontainer

    By default, this built-in group has no members. It can create and