Security Appendix B: Best Practices for access policies
Optimal configuration scheme for ASP's Group Policy object (GPO)
When working in an ASP enterprise environment based on Windows? Active Directory, it is important to design policies to minimize redundancy and redefinition and maximize manageability. Unfortunately, these two goals may contradict each other. To reduce redundancy and redefinition, the ASP should try to define a very detailed GPO. and increase manageability, the number of GPOs should be less ASP. Reducing the number of GPOs associated with various categories is also critical to performance. To achieve balance, it takes a certain amount of time to design strategic planning in the basic structure of the ASP.
The steps to complete an organized plan include:
Logically group the policy. For example, the account policy consists of a logical group.
Define one or more GPOs for each logical grouping with different policy settings that contain the possible policy values. For example, you can have a GPO that contains account policies for different domains and another GPO for local accounts on the server and desktop.
Use an organizational unit (OU) to divide your computer into a hierarchical tree structure. This division should be based on roles-that is, the purpose and function of each computer. For example, by default, all domain controllers should be placed in the domain controllers OU so that they have consistent policies.
Typically, each OU should map to a policy that applies to all computers in the entire OU. This can be tricky because OUs define the management hierarchy of the ASP and the geographic distribution of the ASP. However, the ASP's policy definition often covers the company and geographic distribution.
When an ASP wants to apply a policy to a subset of computers throughout the ASP organization, the ASP performs the following actions:
Create sub-OUs in different parts of the ASP to assign specific policies to each of these sub-OUs.
If the ASP does not want to create a deep OU, he can use the permissions-based filtering mechanism of the GPO to determine which computers are applicable to specific GPOs in a given OU.
Priority of security Policy
It is important to understand the prioritization of security policies related to Active Directory domains and OUs because they take precedence over policies established at the local level. The default precedence order for ASP security policies related to Active Directory domains and OUs is usually the same as Group Policy. The order of precedence from lowest to highest is as follows:
Local Policy
Domain Policy
OU Policy
Local Policies (policies defined on the computer itself) have the lowest priority, and the policies associated with the OU that directly contain the computer have the highest priority.
Therefore, the policy for the domain takes precedence over the locally defined policy. It is important to understand this because it results in a very different result from what was seen in previous versions of Windows NT. For example, when configuring the password policy for a domain OU (as by default), these password policies are configured for each computer in the domain. This means that the local accounts database (on individual workstations) in the domain has the same password policy as the domain itself. In Windows NT 4.0, the password policy defined for the domain does not affect the password policy for the local account database on the member workstation and the server.
Access control
Active Directory can greatly simplify distribution of permissions and privileges within the entire tree hierarchy of containers, groups, users, computers, and other resource objects.
To make the most of this, you need to use the following common specifications:
Assign user rights on a group basis.
Dependent on the inheritance of group assignments. Because it is inefficient to maintain a user account directly, it is generally not assigned permissions on a user basis.
Try to specify permissions at the height of the number of containers. This will achieve the best results with minimal effort. The permissions established should be appropriate for most security rules.
Applies inheritance to propagate permissions throughout the container tree. Like applying access control at a higher level of a tree to provide breadth of scope, inheritance provides deep access. ASP can quickly and efficiently apply access control to all child objects of the parent object.
Delegate management of the container to the ASP and client administrators who manage the computers on which these containers reside. By delegating authorization to manage the permissions of the container, the ASP can decentralize management operations and issues. In this way, the total cost of ownership can be reduced by allocating more recent management from the service point.
When you deploy Windows 2000 in ASP, they must target the default security level that is being used.
Windows 2000 defines three security levels-users, Power Users, and Administrators for newly installed systems. By default, all end users (internal and customer) are members of the Users group, which is possible if the ASP only plans to run certified Windows 2000 applications. However, if an ASP needs to support applications without Windows 2000 certification, they must do the following:
Make all end users "Power users" instead of "users."
Modify the default security settings to increase the permissions granted to Users.
Either of these steps can be implemented as part of the entire ASP security policy, or applied to individual computers as part of the installation process. Together with Windows Server, a security template is provided to "set up" the appropriate security level for the user.
The template is located at: Systemroot\security\templates\compatws.inf
There are other issues with computers that upgrade from Windows NT to Windows 2000.
Security is not modified during the upgrade, so applications that are not certified by Windows 2000 will continue to run without modification.
If ASP wants to upgrade the computer to use the new Windows 2000 security defaults, the Windows 2000 default security settings are available in the following directories: Systemroot\security\templates\basicwk.inf.
