Summary

In this chapter, you learned some of the methods that you can utilize in order to design an access control strategy for a multitude of resources that are made available via a Windows network. You were reintroduced to some old concepts such as ACLs and ACEs. You learned about the different types of Active Directory object permissions and the best techniques to use when assigning them. The best practices for group design, at the forest and domain levels, is another topic that was included in this chapter.

Later in the chapter, you learned about the importance of delegation and how it can be used to better design a secure management environment. We also showed the best practices as they pertain to the file, folder, and share permissions as well as how permissions can work together in order to provide for a more secure remote and local data repository. To protect the data that may be stored on a laptop or some other computer that cannot be physically secured, you can encrypt the files on the disk using the Encrypting File System (EFS). When EFS is properly configured, it can prevent an unauthorized individual from being able to read the files, even with physical access to the hard drive, by requiring the appropriate information to decrypt the files.

To better secure your organization, it is important to see how the different resources are being accessed. Should you enable auditing, on by default on Windows Server 2003 domain controllers, you can better protect your resources because you will be able to see the difference between regular traffic and special, abnormal traffic.

Finally, we explained the importance of a secure backup and recovery strategy to assure the security of the data that is on disk as well as the data that is on the removable media (for example, a tape device).