|< Day Day Up >|| |
Groups play an important role in making network administration easier. To ensure that the convenience of using groups does not compromise network security, you need to come up with a well-designed plan for creating and managing groups in your organization. This lesson will provide you with guidelines and best practices for effectively planning, creating, and managing groups in an enterprise environment.
After this lesson, you will be able to
Describe the User/ACL access method of controlling access to resources.
Describe the Account Group/ACL access method of controlling access to resources.
Describe the Account Group/Resource Group access method of controlling access to resources.
Determine the strategies for naming a group in a multidomain and multiforest organization.
Determine which users are allowed to create groups in an organization.
Describe the impact and benefits of nesting groups inside other groups.
Determine when to retire groups.
Estimated lesson time: 30 minutes
To review, authentication is the process of verifying the identity of something or someone. Authentication usually involves a user name and a password, but can include any method of demonstrating identity, such as a smart card, a retinal scan, voice recognition, or a fingerprint.
Authorization is the process of determining whether an identified user or process is permitted access to a resource and what the appropriate level of access is for that user. The owner of a resource, or someone who has been granted permission, determines whether a user is a member of a predetermined group or has a certain level of security clearance. By setting the permissions on a resource, the owner controls which users and groups on the network can access the resource. For example, users who have logged on to the domain are authenticated to the domain. However, when users try to access resources that they have not been given permission to, they are denied access.
The principle of least privilege states that you should provide users with the necessary level of privilege to perform their jobs—and no more. By restricting access that is not necessary to job performance, you can prevent malicious users from using extraneous privileges to circumvent network security. For example, regional managers may need permissions to modify their own human resources databases, but they may need only read access to the databases of other regions. A corporate human resources manager may require permissions to modify all databases, but a payroll manager may require only read access on the same databases. The concept of least privilege states that access controls should be used to ensure that these users only have the access they absolutely need.
When using the User/ACL method of controlling access to resources, you add the user account that needs access directly to the ACL of the resource. For example, a user John creates a file share and adds Sarah as an authorized user, giving her read-only permission to the share.
The User/ACL method works well for small organizations with less than 10 users. Generally, smaller organizations require fewer groups to manage access to resources, which reduces the complexity of the process of assigning permissions. Using the User/ ACL method in large organizations has the following limitations:
Users within the same job function might have inconsistent access to resources. Usually, users who share the same job role need uniform access to resources. For example, one engineer might have access to a laser printer, a plotter, a backup device, and many file shares. Another engineer in the same group might need access to the same resources, but might have access to only a subset of those resources. Therefore, when there is not uniform access, the network administrator will have to modify the rights for every individual who needs more access.
Administrator overhead increases because administrators will need to control access to resources on a user-by-user basis.
This method does not scale well for larger organizations.
Troubleshooting and tracking which users have access to which resources can be time-consuming and result in higher administrative overhead.
Access control lists will grow very large, which will cause performance degradation.
Even small organizations will regret using the User/ACL method the first time an employee is replaced.
When using the Account Group/ACL method, you place the user accounts into a global group. Instead of adding the user accounts to the ACL, you add the global group to the ACL. You then assign the group a set of access permissions. The Account Group/ACL method provides the following benefits:
Grouping users into groups makes management easier.
By placing users performing the same role in a common group, you provide them with the same set of permissions.
You can add global groups to the access control lists of trusted domains.
For example, an administrator can put all accounting user accounts into a global group called GG-All Accountants and then put that global group on an ACL and assign permissions. The Account Group/ACL method also has some limitations. These include the following:
As more account groups are added to the resource, the resource administrator will experience some of the same challenges posed by the User/ACL method.
Determining which groups need which permissions can be complicated.
It is not as straightforward for non-administrators to assign access as it is when using the User/ACL method.
The Account Group/Resource Group method of controlling access to resources is similar to the Account – Global Group – Domain Local Group – Permission (A-G-DL-P) method. When using this method, you add users with similar access requirements into account groups, and then add account groups as members to a resource group that has been granted specific resource access permissions. This strategy provides the most flexibility while reducing the complexity of assigning access permissions to the network. This method is most commonly used by large organizations for controlling access to recourses.
When creating a resource group to control access to a resource, you can create a local group at the resource or create a domain local group on a domain controller. By creating a domain local group instead of a local group to control access, an administrator can configure groups for access from the Active Directory Users And Computers console. A local group would require the administrator to connect directly to the resource to administer it.
To understand how the Account Group/Resource Group authorization method can be used in an organization, consider the following example. Nwtraders.msft needs to provide its users access to a printer named ColorLaser. However, the requirements of various users differ. Some users only need to be able to print with the printer, whereas others need to be able to print and manage the printer. In such a scenario, instead of adding each user or group into the ACL for the printer, you can create resource groups for the two sets of users and then provide the resource groups with appropriate permissions.
The Account Group/Resource Group authorization method is highly scalable and provides the following benefits:
Instead of modifying permissions for an individual group, you can add the account group into a resource group that has been configured with the appropriate permissions.
You can place account groups on ACLs in trusted domains.
You can provide groups with access to resources by simply placing account groups into resource groups.
The Account Group/Resource Group authorization method is not practical for small organizations. For a small organization that has fewer groups, the use of the Account Group/Resource Group authorization group method is unnecessary. With fewer groups, it is more practical to use the Account Group/ACL or even the User/ACL authorization method.
Designing naming standards may not seem like an important job, but a non-intuitive group naming convention can potentially lead to a security compromise. For example, if you named three global groups Group1, Group2, and Group3, a resource owner might not know which group contains the users who need access to the resource. The less intuitive the naming convention, the more likely users are to accidentally receive unnecessary permissions.
Table 2.4 lists the components of an intuitive naming convention.
GG for global group, UN for universal group, DLG for domain local group
Location of the group
Sea for Seattle
Purpose of the group
Admins for administrators
Your group naming convention can be based on geographic location, domain membership, or a resource. The main goal is to make the group name intuitive so that resource owners know the type and purpose of the group so that they can grant appropriate access to users. Windows Server 2003 does not provide any means of enforcing a group naming convention. You should enforce a group naming convention in your organization by educating users who create groups and also by monitoring group names. Additionally, someone in your organization should have the responsibility of auditing group names on a weekly or monthly basis and correcting any groups that have been misnamed.
When creating a name, ensure that the important details are in the first 20 characters of the name. This placement will allow you to view the important details in most dialog boxes without resizing the window.
To design a naming convention, you must understand how your organization will assign resources. For example, the organization may or may not have resources divided by regions. If an organization has marketing departments in Boston, Austin, and San Diego, and each of these marketing departments uses separate resources, then you should include location in the group naming convention because you will be required to make separate groups for each team in each location. Following are examples of what those groups might be named:
GG BOS Marketing
GG SAN Marketing
GG AUS Marketing
However, if the marketing teams from all locations work closely together and do not maintain separate resources, you do not need to include location in the group name. For example, the group name GG Marketing would be sufficiently granular. If there are resources that should only be accessed by users in a particular location regardless of the department they work in, you can create groups for each location, such as GG Austin, GG Boston, and GG San Diego.
Keeping the most general information towards the left of the name string and more specific information towards the right makes sorting more logical.
If you decide to use resource groups, you must determine how to uniquely and logically name the groups so that it is obvious which resources those groups should be assigned to. For example, in a small office with a single laser jet printer and a single bubble jet printer, the following names would be acceptable for resource groups:
DL LJ Print Only
DL LJ Managers
DL LJ Administrators
DL BJ Print Only
DL BJ Managers
DL BJ Administrators
However, in an enterprise with hundreds of printers, that naming convention would be confusing. Larger organizations need to include a description of the location in the group name. For example, if an enterprise uses a building code and office code to describe locations, the following names would be acceptable for resources groups:
DL 25-2003C LJ Print Only
DL 25-2003C LJ Managers
DL 25-2003C LJ Administrators
In large organizations, the task of creating and managing groups can be time consuming for IT personnel. In such cases, you can delegate the task of creating and maintaining groups to other users in the organization. By delegating security group maintenance to the appropriate individuals, you can help to ensure that requests for changes in membership are evaluated by individuals who:
Can judge the appropriateness of the request.
Have the authority to make the change.
Are motivated to keep group membership and access permissions correct and up- to-date.
However, delegating the right of managing groups to other users could also lead to security breaches because the delegated group administrators might incorrectly configure access to resources. Therefore, it is important that you carefully determine who can create and maintain groups in your organization.
When delegating users to administer and maintain groups, keep the following considerations in mind:
Select users who are familiar with the department in which the resource is located and who have an understanding of the access needs of that department. Generally, an administrative assistant in a department has a good understanding of the access needs and requirements for those users and is a good choice for administering groups.
After you select the appropriate users, assign them permission to create and maintain groups. Delegating permissions to these departmental administrators can be done at the OU level, or by giving them the appropriate permissions on the resources they will need to configure.
After you have created and delegated permissions to the departmental administrators, ensure that only the users you have selected are members of this group. Accidentally adding users to this group can result in loss of data or other security compromises. To prevent these risks, you can use restricted groups at the OU level.
Group nesting is the process of placing security groups into other security groups. Group nesting is an effective way to scale the groups in an organization. For example, if you have account groups called GG Sales Managers, GG Training Managers, and GG Marketing Managers, you can nest these three account groups into another account group called All Managers. You could then apply permissions to all nested groups at one time.
To nest account groups inside of other account groups, the domain functional level must be set at Windows 2000 native or greater.
When nesting groups, keep the following considerations in mind:
If you nest too many groups, access token size might become large. Group membership is limited to 120 groups.
Just as with any group naming strategy, if you do not provide an intuitive name for the nested group, it can lead to improper access to resources when another administrator mistakenly grants access to the incorrect group.
Make sure that you monitor the members of the groups. Not monitoring members of groups could lead to inappropriate access to resources. Monitoring nested groups is more complicated than managing regular groups because nested groups contain other groups. The membership of the nested groups will need to be exposed to determine the overall membership.
As organizations grow and evolve, security groups can become obsolete. Obsolete security groups provide users with permissions they might no longer need, which can lead to security vulnerability. Although account groups for very small teams might not change frequently, large account groups experience almost continuous turnover in membership. If an account group’s membership has not changed at all for some time, the group might be obsolete. Therefore, it is important that you constantly monitor which groups are no longer needed in your organization.
You should also develop and enforce processes to remove groups that are no longer in use. For example, you might create an account group called GG Picnic Planners for a new morale project in your organization. To facilitate the project, you provide the group access to the color laser printer to print handouts. When the project is over, if you do not retire the group, the users will still have access to the color laser printer.
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.
Which of the following group names was created with an effective group naming strategy?
GG BOS HR
Cohowinery Global Group Boston Human Resources
Is the User/ACL or the Account Group/ACL method more effective in large enterprises?
Which of the following describes the principle of least privilege?
Ensure that users have the minimal privileges necessary to do their jobs.
Ensure that users have no permissions unless they have authenticated with both a password and a smart card.
Create users with administrator privileges and then gradually reduce their privileges to the lowest level possible that allows applications to still function.
Unauthenticated users must have the lowest level of privileges on the network.
When using the User/Access control method, you add the user account that needs access to a resource directly to the ACL of the resource.
The User/Access control method does not scale well for larger organizations.
When using the Account Group/Access Control List method, you place the user account into a global group, and instead of adding the user account to the ACL, you add the global group to the ACL.
When using the Account Group/Resource Group method, you add users with similar access requirements into account groups, and then add account groups as members to a resource group that has been granted specific resource access permissions.
Define a group naming convention that identifies the group type, its location, and the purpose of the group.
By delegating security group maintenance to the appropriate individuals, you can ensure that requests for changes in membership are evaluated by individuals who can judge the appropriateness of the request, who have the authority to make the change, and who are motivated to keep group membership and access permissions correct and up-to-date.
Group nesting is the process of placing security groups into other security groups. Group nesting is an effective way to scale the groups in an organization.
|< Day Day Up >|| |