Implementing Enterprise Security

If any one thing could be said about Windows Server 2003, it might be that Windows Server 2003 depends on Active Directory through and through. Active Directory permeates every part of an enterprise Windows Server 2003 network and is the conduit through which the network functions efficiently and securely. Although this is not a text on Active Directory design and implementation, nor is it designed to ready you for Exam 70-294, "Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure," you will become acutely aware throughout this chapter how important a good Active Directory design and implementation are to your Windows Server 2003 network security plan.

Because Active Directory is so important to effectively plan and implement a solid security plan in Windows Server 2003 networks, it is critical that you understand how to effectively organize your Active Directory structure to achieve the best results, both from a security standpoint and also from an administrative one. When Windows 2000 was introduced, many network administrators mistakenly believed that the domain was a security boundary. This is simply not the case. The only absolute security boundary is that of the forest itself. In any forest environment, there exists ways for trusted administrators to acquire more privileges than they should have and abuse the power that has been granted to them.

Unfortunately, the reality is that the single forest arrangement with multiple domains is the best overall way to design, implement, and manage the vast majority of Windows Server 2003 networks ”including those that you will most likely be working on. With that in mind, you must plan for security from the beginning of your design.

Organizational Units (OU), sometimes thought of as nothing more than an organizational tool to "clean" up the visual appearance of Active Directory, are actually among your most powerful tools for planning, implementing, and maintaining a secure network environment. OUs offer an easy way to segment users and other security principals, specifically computers in this instance, for the purpose of creating and enforcing administrative boundaries. Nesting OUs within each other, each with its own specific Group Policy Object (GPO), allows you to piece together the overall security solution for your network. Figure 1.1 illustrates this principle.

With this brief introduction to the way you might create a layered security solution, let's now move forward and start examining the tools available to you. The first step in implementing role-based security is to implement a baseline configuration . Before you can implement this baseline configuration, however, you must be aware of the default security settings that Windows gives you to start the process. This is the topic of the next section.