Microsoft has published a document that speaks to best practices for securing Active Directory. The document is over 300 pages long, and provides 22 recommendations for security AD. What’s more, it has lots of context so you can understand the recommendations and best practices. The document can be downloaded here.
I posted back in 2008 about a Microsoft article that speaks to the maximum limits for Active Directory. Microsoft has updated their content to include Active Directory in Windows Server 2012. Specific updates include:
- Increase in the number of RIDs that can be allocated over the lifetime of a domain with Windows Server 2012
- Update regarding the maximum number of objects to reflect garbage collection batch size, which is 5000.
The new content can be found here.
It’s been a while since I’ve authored a post on Active Directory. This post focuses on some of the new features in Active Directory Domain Services (AD DS) in Windows Server 2012. The new features/improvements can be categories into the following:
- Deployment and Upgrade
- Platform Changes
Microsoft released two new Identity whitepapers this month.
The first paper covers the fundamental pillars of identity as defined by the Microsoft solution architects, that can be useful in creating a strategic direction for an identity infrastructure in your organization.
The second paper covers identity infrastructure capabilities specific to both on-premises and cloud computing that we at Microsoft are most often asked by our customers to implement. This paper also contains introductory information on the existing Microsoft solutions that can help you obtain these popular identity infrastructure capabilities.
Good overview of the difference between AD and WAAD here.
The Group Policy Search (GPS) service is a web application hosted on Windows Azure, which enables you to search for registry-based Group Policy settings used in Windows operating systems.
GPS version 1.1.4 is live at http://gps.cloudapp.net. Version 1.1.4 includes registry-based policy settings from Windows 8 and Windows Server 2012, performance improvements, bug fixes, and a few little surprises. It’s the easiest way to search for a Group Policy setting. The changelog is as follows:
- Added support for Windows 8 and Windows Server 2012
- Added new icons in front of the policies to mark whether they are user or machine based
- Added auto language detection for the supported languages (en, de, fr, it, es)
- Added support for ajax navigation
- Got rid of the x-ua-compatible
- Suggestions should behave better now
- Fixed some bugs
Alex Simons, Director of Program Management for Active Directory, posted the links to the Developer Preview of Windows Azure Active Directory, last week.
Windows Azure Active Directory (AD) is a cloud identity management service for application developers, businesses and organizations. Today, Windows Azure AD is already the identity system that powers Office 365, Dynamics CRM Online and Windows Intune. Over 250,000 companies and organizations use Windows Azure AD today to authenticate billions of times a week.
The Ask the Directory Services Team blog has a post that outlines some of the improvements to Group Policy management that are in Windows Server 8, including:
- Group Policy Infrastructure Status
- Remote Policy Refresh
- New RSOP Logging Data
- Test Lab Guide: Demonstrate ADDS Simplified Administration in Windows Server “8″ Beta
- Test Lab Guide: Demonstrate Virtualized Domain Controller (VDC) in Windows Server “8″ Beta
- Windows Server “8” Beta Test Lab Guides (Wiki Landing Page)
- Active Directory Domain Services overview
- Dynamic Access Control: Scenario Overview
I came across an article on Windows IT Pro that provides a good overview of the new Active Directory features in Windows Server 8. The article can be read here…
As discussed in detail in a post on the AskDS team blog, using security groups for Group Policy preferences (GPP) targeting was a really bad idea. So much so that it would typically result in a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy GPP to the computer. Microsoft recently released a hotfix that addresses this issue by changing how the Security Group Targeting item calculates computer group membership.
If you are using, or plan to use, computer group membership for GPP targeting, you’ll want to install this hotfix. Information pertaining to the hotfix can be found in the Microsoft Knowledgebase article 2561285. Additional information on the issue can be found here. Additional information on the resolution can be found here.
I ran across a post on the AskDS Team blog, which goes into depth on Kerberos and Load Balancing. It’s definitely worth a read if you plan to use Kerberos in a load balanced environment. The post can be found here…
I’ve said many times that a default installation of Active Directory is not secure. There are several reasons for this, and I do not consider this to be a design flaw. However, there are several built-in features that enable you to secure AD according to your specific requirements.
One of the most common “mitigation” you read is to rename built-in accounts, such as the Administrator account. I’ve never been a fan of this recommendation simply because anyone really looking to exploit your AD environment will be able to determine the renamed account in a matter of seconds. This has to do with well-known SIDs.
Microsoft defines well-known SIDs as:
A group of SIDs that identify generic users or generic groups. Their values remain constant across all operating systems.
And, the built-in Administrator account is a well-known SID. Therefore, anyone can find the renamed Administrator account simply by knowing the SID. Again, since this is a built-in account, the SID is going to be the same regardless of the environment. All you need to find out is the domain SID, which isn’t difficult. (The Administrator account has a SID of S-1-5-21domain-501, where domain is the domain’s SID).
IMO, renaming built-in accounts may ward off the novice hacker, but it won’t save you from the ones looking to cause real damage. Nonetheless, you should always look at the risks that apply to your environment, and mitigate them accordingly.
I was a guest speaker on Talk TechNet yesterday. I enjoyed the live Webcast and appreciate the questions that came in. The hosts, Keith Combs and Matt Hester, were a blast as well. In case you missed it, the Webcast is now available for download here. You can also check out more details on the Webcast by going to the Talk TechNet blog:
I came across a post on the Active Directory Documentation Team blog, which may be quite useful. According to the post, they are:
pulling together resources that will hopefully become a central location to help people troubleshoot Active Directory issues in the Active Directory Troubleshooting Survival Guide
The Active Directory Survival Guide, which is a Microsoft TechNet Wiki, can be found here: http://social.technet.microsoft.com/wiki/contents/articles/active-directory-troubleshooting-survival-guide.aspx
Description: Learn how to configure Windows Firewall with Advanced Security connection security rules to protect network communication between a domain controller and domain member computers using Internet Protocol security (IPsec).
Download from here.
In this post, I will walk you through preparing a lab environment for Lync Server 2010. Since the infrastructure prerequisites for Lync Server 2010 Standard Edition and Lync Server 2010 Enterprise Edition differ slightly, the focus of this lab will be the common steps that apply to both editions. In future posts, where I detail the steps to create the Lync Server 2010 lab, I will outline the Edition specific steps.
The focus of this post is:
- Create the Virtual Machine
- Install Active Directory Domain Services
- Install Active Directory Certificate Services
Do you plan to delegate the permission the create Active Directory objects? Did you know doing so provides the ability to escalate privileges and facilitates stale object ownership?
Want to know whether or not an offline defragmentation of your Active Directory Domain Services (AD DS) database will reclaim disk space? If so, change the garbage collection logging level on your domain controllers.
I’ve been doing some research on the changes to Active Directory Domain Services in Windows Server 2008 R2 Service Pack 1. Although Windows Server 2008 R2 SP 1 is still not RTM, there are many useful resources available. Here’s a summary of the changes specific to AD DS in Windows Server 2008 R2 Service Pack 1:
I was recently looking into an LDAP over SSL issue, and I found some very useful articles online…here they are:
- Reading LDAP SSL Network Traffic with NetMon 3.4 and NMDecrypt
- Understanding LDAP Security Processing
- Domain Locator Across a Forest Trust
- Troubleshooting LDAP Over SSL
- Third Party Application Fails Using LDAP over SSL
- Tracking LDAP Searches with Windows Server 2008 Reliability and Performance Monitor
- LDAP client tracing…
- Tracing LDAP calls with Powershell