Seminar Abstract
Deploying Active Directory provides a mechanism to authenticate users, computers and services within your enterprise – but who is going to administer the system? Domain, enterprise and schema administrator accounts are designed for managing roles that are highly privileged, everyday administration should not be performed using these accounts. You should always adopt the philosophy of least privileged access; logon on with only the required privileges to complete the task.
Delegated administration is the solution. To successfully implement delegated administration you need to understand the Active Directory security model. Whilst this model is complex and difficult to understand, armed with this knowledge you can leverage Active Directory security to maximize the efficacy of delegated administration and also control the visibility of published resources. Controlling the visibility of resources enhances the richness of AD searches for all by displaying only the resources that users need to see or use.
This seminar will provide an in-depth explanation of the Active Directory security model examining all aspects of object and attribute security. You will learn best practices for controlling delegation; including management of service and resource accounts. A full explanation of security and administration boundaries will be provided together with their associated vulnerabilities. The seminar is backed up with comprehensive demonstrations.
Who should attend?
Anyone who needs a detailed technical insight into Active Directory object security and delegated administration including: Active Directory consultants, architects, administrators and troubleshooters.
Prerequisites
The seminar provides real technical detail and assumes a working knowledge of Active Directory concepts such as forests, domains, sites, replication, domain controllers, organizational units and group policy. The seminar is not suitable for personnel engaged in basic day-to-day administrative tasks.
Topics covered
- Security boundaries
- Securing AD access
- Managing domain, enterprise and schema administration accounts
- Service and resource based administrative roles
- Designing role based administration
- Managing AD security vulnerabilities
- Security access tokens
- SIDs and RIDs including SID history
- Default object and attribute security
|
- Schema base default security descriptors
- Security Descriptor Definition Language (SDDL)
- Explicit versus inherited ACLs
- Multilevel inheritance
- Blocking and propagating inheritance
- Auditing object and attribute access
- Effective permissions
- Controlling object visibility
- List object versus list content
|
Speaker Biography
John Craddock (v-jcradd@microsoft.com, johncra@kimberry.co.uk)
BSc Hons CEng MBCS
Principal Systems Consultant, Kimberry Associates
John Craddock has designed and implemented computing systems ranging from embedded high-speed industrial controllers through to distributed IT solutions. John works as a consultant providing services to industry leaders including Microsoft; he was a key player in the Government Gateway Project, is the infrastructure architect for a number of web portals built on Windows Sever 2003 technologies. In addition to his role as a consultant, he has written over 20 technical training courses that have been published worldwide. John lectures internationally and has written and presented sessions on Windows 2000 and 2003 Active Directory at MTB, MEC, TechEd, IT Forum, JDP and deployment conferences.
Sally Storey (sallysto@kimberry.co.uk)
Senior Consultant, Kimberry Associates
Sally Storey has worked in management and consulting in the IT industry for both Novell, Microsoft and independently. Sally works as a consultant on enterprise infrastructure projects in operations, logistics and deployment roles. Sally is ITIL qualified and specializes in building process that keep systems highly available and secure.
John and Sally co-authored “Investigating and Managing Objects and Attributes for Microsoft Windows 2000 and Microsoft Windows server 2003” ISBN 0-9544218-0-9
|
