All network access begins with one thing: a user account. You can grant network access to an individual user account, or to a group object that contains multiple accounts; whether it s a user or a group object, anything that you use to assign permissions is called a security principal . You will use security principals on your network to assign permissions to network resources such as file shares and folders, and rights assignments such as Log on interactively and Backup files and folders. The total combination of rights and permissions assigned to a user account, along with any permissions assigned to groups that the user is a member of, defines what a user can and cannot do when working on a network.
Given the importance of user accounts, then, it stands to reason that securing the directory that houses your user database information should be one of the primary goals of your security design plan. Imagine, for example, that you ve been asked to restrict access to a certain file to only your company s Senior Directors. What you re being asked to do here is twofold: to restrict who has access to the file, and to protect who has access to the accounts being used by the Senior Directors. If a Senior Director s username and password were compromised, then an unauthorized user would be able to access this confidential file. It is important to understand the potential risks to the Active Directory database, and to design your Active Directory user accounts in a secure fashion. In addition, we ll discuss the use of security countermeasures such as Account and Password policies to keep the Active Directory database safe. We ll also discuss the use of auditing to ensure that no unauthorized user activity or other potential security incidents are taking place.
We ll close this chapter with a discussion of some best practices in assigning user permissions to network resources and data. From your readings in preparing for the MCSE Core Four exams, you should be familiar with the acronym AGDLP, which describes the recommended way to assign permissions to a resource. In AGDLP, user accounts are added to global groups, and then global groups are added to Domain Local groups. Permissions or user rights assignments are finally assigned to the Domain Local group. In preparation for the 70-298 exam, we ll look at some scenarios where you ll determine how to create a group structure that will allow you to assign permissions and rights in a secure, efficient manner.