Windows Server Security Practices
Elements Required for Active Directory
Microsoft DNS - This is a very different animal in Windows 2000/3 compared to NT4, not because of the way it does anything but because of what it is used for. Microsoft NT4, Windows 95/8 uses WINS - the Windows Internet Naming Service (rather confusingly named) to locate each other over inter-connecting LANs. The system basically works with DHCP, the Dynamic Host Configuration Protocol which ascribes an IP Address to your Network Interface Card and supplies the Default Gateway, DNS Server and WINS server and also registers you with WINS at the same time. One WINS server then replicates with another on another LAN and then the hosts can look up your workstation on their own LAN and the communication can be successfully routed between machines. DNS was simply for looking up domains on the Internet at this stage and had a 'Reverse WINS Lookup' feature for tracking down workstations from the DNS server. Microsoft DNS on Windows 2000 has the option of being entirely dynamic. It can be configured to live in Active Directory, has built in reverse lookup and is updatable just as WINS is from the DHCP server negotiation.- better!
TCP/IP - The Transport Control Protocol / Internet Protocol. This is just moving from it's fourth to sixth incarnation at present and it is a complicated protocol. It is routable in more ways than you can wave an Ethernet cable at and with version 6 supports IPSec as standard. It is the basis of nearly all inter communication of computers today, whether we are talking about Macintosh, Netware, Linux or Windows, they are most likely using TCP/IP to speak with their cohorts. Microsoft have favoured it for some time whilst Netware moved over at version 5. Macintosh jumped on the wagon (as opposed to leading the way as they normally do) and began dropping AppleTalk with the arrival of OSX. Although TCP/IP is referred to as a single protocol it is not. It is a standard set of amalgamated systems and the resultant protocol lives in layer 3 of the standard model. As with all other communications protocols, TCP/IP is composed of layers:
The Internet Protocol (IP) - is responsible for moving packets of data from one node to another. IP forwards each packet based on a four byte destination address (the IP address). The Internet authorities assign ranges of numbers to different organizations. The organizations assign groups of their numbers to departments. IP operates on gateway machines that move data from department to organization to region and then around the world. Each computer using the internet can do so because at some level it is using an IP address. Typically in most networks nowadays your LAN may have only one 'real' IP address at your router or firewall and your computer may use a 192.168.x.x or 10.1.x.x address. These are reserved address sets for computers in internal LANs and are assigned to no one. This is made possible by NAT and PAT which stand for Network Address Translation and Port Address Translation which is performed by your router or firewall so as to redirect any traffic your machine requested back to you.
The Transport Control Protocol (TCP)- is responsible for verifying the correct delivery of data from client to server. Data can be lost in the intermediate network. TCP adds support to detect errors or lost data and to trigger retransmission until the data is correctly and completely received. TCP makes TCP/IP a very robust system and allows different sections of the Internet to fall over and reroute data constantly and seamlessly.
Port Numbers - is a name given to packages of subroutines that provide access to TCP/IP on most systems. A socket is a combination of a port number and an IP Address and therefore uniquely identifies a network process on any individual network. There are many standardized port numbers such as 80 for HTTP and 25 for SMTP etc. A port number is basically a feature of a packet just like the routing header. It is a property that, instead of deciding where it is going, like the IP Address, it decides what it will do when it gets there and most likely whether it will be allowed to get there or not.
Microsoft Active Directory - Don't be put off by the way this is continuously described by Microsoft as all sorts of different things. The simple nuts and bolts of it are most easily described as follows. AD is a secured and replicated set of files shared around the domain or domains that allow all of the clients and servers to share and use information. For those of us familiar with the nuts and bolts of a Windows PC, it's like a replicated registry that is shared around the Domain Controllers. It sits in different files, just like the registry did, and it can be edited with a straightforward tool, just like the registry. It relies on five central roles for a forest to function. (A Forest is a collection of Domain Trees - yes I know very clever etc.) The replicated information that is shared to non DC clients is stored in the SYSVOL share on a DC and there will be a folder inside for each domain storing policies, scripts and other information. The old Netlogon share is now inside of the shared SYSVOL directory but is still shared as Netlogon for backwards compatibility. The Database of all DC only AD information is kept inside %systemroot%\SYSVOL - note that the SYSVOL folder shared to clients is inside of the first sysvol directory i.e. at %systemroot%\SYSVOL\SYSVOL. The database itself and the log files by default are kept in %systemroot%\WINDOWS\NTDS but the location can be specified when installing Active Directory to a server.
FSMO Roles - Flexible Single Master Operations (Pronounced by all the guys on the Microsoft Websites as Fuszmo.) So there you are, after all of the fuss Microsoft made about Windows 2000/3 no longer requiring a PDC or BDC it turns out that there are five different sorts of the darn things.
PDC Emulator - All Winnt fans know what this guy is bound to do. He emulated the old PDC on behalf of backwards compatibility. He also creates group policy objects and synchronizes the w32time service.
RID Master - Hands out the Global Unique Identifiers to each Domain Controller. Each object in Active Directory must have one to be indexed in the registry-like list. The RID hands out different sets to each DC for labelling all of the objects created on it.
Infrastructure Master - This guy is the Ambassador. He is monitoring everything to do with memberships of trusts and other domains. He checks that you are allowed into the country by having a good look at your passport- well you know the way things are these days.
Domain Naming Master - This ol' gal is the only central repository for child domain names. There is only one in an attempt to prevent duplicate domain names. Just as well, duplicate computer names are bad enough!
Schema Master - This fellow is responsible for changes to the Schema of Active Directory. In other words he is the man who alters the way in which data is stored inside of any types of object. If you want to add a field to the standard computer object then you've got to ask him.
OK so there we have it. It is worth remembering that Active Directory is dependant, not only on all of the FSMO bear roles but also on TCP/IP and Microsoft DNS because without either there is no transport with or from Active Directory.
So based on these observations we will start with a few pointers. When you are building or designing your new Windows Active Directory you will want to minimize network traffic and administration and to optimize ease of use. This may seem a confusing and daunting task but let us get things in perspective. Active Directory goes a long way to doing this itself and the design does not have to be completed before you begin your upgrades/installs. If it is not a huge network - i.e. less than 10 sites and 20 Domain Controllers - you are not going to notice a huge impact on how you do things anyhow, unless there are a lot of different bandwidth connections. Windows Active Directory is based on replication and it can cause networking problems and bottlenecks when it gets itself confused and is using all of the available bandwidth, but these services can be stopped if they are bringing things to a halt whilst you work out what is going on. Active Directory does do some funny things just because of the order in which it is created so make sure you design your Upgrade path from the centre of your networks where the most bandwidth lies moving out gradually toward the more remote slower sites. But all of this is scare-mongering as much as anything else. If you are just upgrading or designing a single LAN network then the most important part is to choose the correct specification of servers and make sure you have checked with manufacturers and software designers that the upgrade paths have been tested and are supported. (This still doesn't guarantee anything so if you can, test it on a dummy example.) The worst kind of Microsoft designers are those who come to the job with all of the AD knowledge in the world but have neglected to think about where the servers will be plugged in. Try and effect a policy of security and robustness in where the servers are and how they are looked after as well as in how Windows is configured. Many server compromises are at source, remember that.
Some services work better together than others. The Domain Controllers should be DNS Servers, there is no point having a domain controller if it has no access to DNS and it forgoes the risk of losing communications during adding and removing Domain Controllers which can lead to catastrophic results. If there is a DNS server on board then you always at lease have a single copy of what is happening in the domain and it can be replicated once network communications have been restored. If there is only one DC in a site then they should be set as a Global Catalogue, a Global Catalogue keeps a copy of every object in the forest and if a site needs information on part of the forest it must be able to retrieve it without running home to momma down a slow connection. Sometimes replication must be set to copy to more remote sites when the office is out of use to retain bandwidth but replication can always be halted if a connection is beginning to feel the strain. Sites are important and define the replication characteristics of Active Directory. A site boundary should indicate where there is a connection to the main LAN over a lower bandwidth; just because you need a separate Windows site doesn't mean an separate Exchange site, Exchange is another animal when it comes to designing site boundaries.
A dedicated Domain Controller is always a good idea, a server that can deal with the FSMO roles which need not be distributed over different servers unless your domain exceeds 2000 clients. The FSMO roles are a difficult point because there are they are single entity for an entire domain. With enough changes being made to the domain the workload can become such that you will have to redistribute the roles to multiple servers, the name changing role and the schema and operations master are a good place to start. As a rule, if you are including Microsoft Exchange, the Domain Controllers should have the Active Directory Connector for Microsoft Exchange installed and it is also a good machine to have in charge of your antivirus and DHCP. WINS should be phased out once all clients and servers have been moved over to 8 or 10 and your network performance and reliability should start to increase as duplicate WINS entries and the need to replicate the WINS servers become things of the past.
Lastly always change the logon name for the Administrator account to something difficult to guess as a lot of the scripts that people run trying to compromise security rely on password lists which pre-supposes the administrator account login name.