Embed Size (px)
Citation preview
Security Authorization Strategy
User and Group Usage
October 1st. 2009 Eguibar Information Technology S.L. © 2015 1
Table of Contents
1. IT Business Requirements
2. Groups Usage Definition
3. Groups Usage Implementation
4. Policy Best Practices
5. Group Strategy based on IT Delegation Model
6. Microsoft Recommended Best Practices
7. Example
October 1st. 2009 Eguibar Information Technology S.L. © 2015 2
IT Business Requirements
October 1st. 2009 Eguibar Information Technology S.L. © 2015 3
IT Business Requirements
� Simplify the security assignment to the end user.
� Reduce overall time for authorization management.
� Authorizations have to be removed when changing departments.
� Authorizations on “temporary leave” have to be considered.
� Record each user access on corresponding company DB.
� Prepare environment for data privacy (including compliancy).
� Allow consistent Security Audits on the environment.
� Perform a regular Risk and Health Assessment Program for Active
Directory (ADRAP) to identify and mitigate risks regarding infrastructure,
policies, security, procedures, capacity, etc.
� Provide the AD with IT Management Organizational data.
� Facilitate the implementation of external management tools.
October 1st. 2009 Eguibar Information Technology S.L. © 2015 4
Groups Usage Definition
October 1st. 2009 Eguibar Information Technology S.L. © 2015 5
Groups Usage Definition
Object Description Usage
User Representation of a person. Identity within the directory. Can have direct ACL but
not recommended. An exception is Home Folder.
Global
Group
Group of users with a common
interest.
Intended to group Users and/or other Global Groups.
Can have direct ACL but not recommended. Tool to
provide Active Directory with Business Organization.
Local
Group
Group which controls access to a
given resource. Local Group is within
the server. Domain Local Group is
within Active Directory.
For each type of access, these kind of groups will
control who has granted/denied access. These groups
have direct ACL. These groups can have users, but is
not recommended.
ACL Access Control List. List of objects (recommended to be Local Group) with
granted or denied access to certain resource.
Resource Any piece of information that its
access and has to be controlled.
Resource can be an application, a file, a folder, a
printer, etc. Any electronic information, subject of
controlling access to it, is considered a resource.
Universal
Group
A Group of Groups with the widest
scope (all infrastructure scope)
This is also known as a Cross-Domain group, and is
recommended to be used for collaboration between
domains and should only contain Global Groups. Can
have direct ACL and individual users, but not
recommended
October 1st. 2009 Eguibar Information Technology S.L. © 2015 6
Groups Usage Implementation
October 1st. 2009 Eguibar Information Technology S.L. © 2015 7
Groups Usage Implementation (1/3)
http://technet.microsoft.com/en-
us/library/cc755692(WS.10).aspx
a) Do not assign ACL to individual
users. The ONLY valid exception is
the Home Folder.
b) Users are members ONLY of
Global Groups (avoid adding users
to Local Groups, Domain Local
Groups or Universal Groups).
c) Global Groups can be nested
within other Global Groups (also
Universal Groups).
October 1st. 2009 Eguibar Information Technology S.L. © 2015 8
Groups Usage Implementation (2/3)
http://technet.microsoft.com/en-
us/library/cc755692(WS.10).aspx
d) Global Groups (or Universal
Groups) are members (nested)
within Local Groups and/or Domain
Local Groups.
e) Local Groups will be granted
Access Control List (ACL) to the
corresponding resource. Individual
Local Group based on the given
ACL if different access levels are
needed (Read Access, Change
Access, FullControl Access…).
October 1st. 2009 Eguibar Information Technology S.L. © 2015 9
Groups Usage Implementation (3/3)
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
a) No direct permission to user.
b) Users as members of Global Groups
c) Global Groups nested into Global Groups (or Universal Groups).
d) Global Groups (or Universal) nested within Local Groups / Domain Local Groups.
e) Local Groups granted ACL to the corresponding resource.
October 1st. 2009 Eguibar Information Technology S.L. © 2015 10
Policy Best Practices
October 1st. 2009 Eguibar Information Technology S.L. © 2015 11
Policy Best Practices
It is recommended to create a policy stating the Business Delegation rules
concerning IT systems and Infrastructure.
� Policy should be flexible to accommodate all business units.
� Policy should provide enough business organization to the IT systems
implemented.
� Avoid reproducing the company organization chart into the directory.
Instead reproduce the functional organization.
� The policy must follow manufacturer best practices as well as standard
security practices from the design and governance point of view.
� The policy should be Technical Agnostic, and should focus on the
functional organization.
� The policy is the input information for any related external provider.
October 1st. 2009 Eguibar Information Technology S.L. © 2015 12
Group Strategy based on IT
Delegation Model
October 1st. 2009 Eguibar Information Technology S.L. © 2015 13
Group Strategy based on IT Delegation Model
October 1st. 2009 Eguibar Information Technology S.L. © 2015 14
Microsoft Recommended Best
Practices
October 1st. 2009 Eguibar Information Technology S.L. © 2015 15
Microsoft Recommended Best Practices (1/2)
Security is a must nowadays, and should always start from the governance of the
systems.
� It is recommended to create a policy regarding data compliancy within the
organization.
� The policy should be flexible enough to accommodate all business needs, but strong
to avoid security leaks.
� Create a data security category and enforce its usage.
� Confidential data (around 5% of total data); Private data (15% of total data);
Common data (60% of total data) and Public data (20% of total data).
� Grant and Revoke access based on the Administration Delegation Model and the
given category.
� Avoid mixing data of different security levels.
� Create Delegated Areas (Shares or Sub-Folders) based on access category and not
by common or parent area.
� Prepare data for security auditing and data compliancy.
October 1st. 2009 Eguibar Information Technology S.L. © 2015 16
Microsoft Recommended Best Practices (2/2)
� Create Global Groups for each Department
� Create Global Groups for each Project
� Assign users to the corresponding Global Groups
� If required authorization can’t be covered by the above Global
Groups, it is necessary to create Sub-Groups
� If security categories are required (e.g. Confidential Data) create
separate shares and separate groupings.
� Use Universal Groups to group different areas (or Global Groups)
and/or to cross boundaries (ej. Different forest)
� Implement best practices process (as shown on the result of
Microsoft® Risk and Health Assessment Program for Active
Directory – ADRAP)
October 1st. 2009 Eguibar Information Technology S.L. © 2015 17
Example
October 1st. 2009 Eguibar Information Technology S.L. © 2015 18
Example
October 1st. 2009 Eguibar Information Technology S.L. © 2015 19
