Chapter 7. Active Directory's Role in Domain Security"Sixty-five percent of attacks exploit misconfigured systems, and only 30% exploit known vulnerabilities where there's a patch out. Only 5% exploit things we didn't know where there was a problem. Address the 65% and check that things are configured right, and you've just eliminated two-thirds of your problem. Focus on patch management and forcing software vendors to write better software, and you've got the other 30% taken care of. Then, later on, worry about the 5% of evil geniuses who are attacking us with zero-day attacks."http://searchsecurity.techtarget.com/qna/0,289202,sid14_gci905234,00l
For many, the preceding conclusion is just common sense. Configure your system correctly, and you have probably eliminated 65% of its vulnerabilities. Therein lies the rub. How do you correctly configure each machine in your network? First, there is the enormity of the situation. Imagine configuring and securing thousands of desktop systems, hundreds of server, and dozens of domain controllers in an enterprise network from an easy-to-understand, granularly configurable, and ultimately manageable console. Then add to that picture the capability to back up and restore security configurations, easily document settings, and reproduce your entire enterprise security configuration in a test environment or migrate settings from one domain to another. Take it a step further and include the opportunity to understand the impact of changes, determine the current security status of a single machine without sitting at its console, and troubleshoot security policy when things aren't right. Is this too much to ask? No, it's mandatory for security maintenance. Although it is a large task, you can obtain this control over Windows systems today with native Windows Server 2003 tools. NOTE: Use Best Practices Tempered by Security Policy This book can show you how to use native tools to configure and secure systems. It can even provide you with some best practices. Ultimately, however, you must understand your systems and make the best choices based on their intended use and the established security policy of your organization. This chapter concentrates on how to use Active Directory and Group Policy to configure and secure systems, but it does not tell you what settings to use. Additional chapters in this book provide information on the use of specific security settings and alternative ways to implement security. The following chapters are specifically related to using Active Directory to secure Windows Server 2003: The impact of trust relationships on security
Chapter 8, "Trust" Troubleshooting Group Policy Implementation
Chapter 9, "Troubleshooting Group Policy" Securing Active Directory
Chapter 10, "Securing Active Directory"
In this chapter, you'll learn how to use many of these tools successfully based on a sound understanding of the role that Active Directory can play in security, and how to map your written IT security policy to Group Policy settings. |