- The Evolution of Directory Services
- Understanding the Development of AD DS
- AD DS Structure
- Outlining AD DS Components
- Understanding Domain Trusts
- Defining Organizational Units
- Outlining the Role of Groups in an AD DS Environment
- Understanding AD DS Replication
- Outlining the Role of DNS in AD DS
- Outlining AD DS Security
- Getting Familiar with AD DS Features in Windows Server 2016
- Best Practices
Outlining AD DS Security
The security built around Active Directory was designed to protect valuable network assets. Development of Windows Server security has also been affected by the Trustworthy Computing initiative by Microsoft, which changed the primary focus of Microsoft products to security. In a nutshell, Microsoft continues to improve the security of its products, and all new features must pass a security litmus test before they can be released. This initiative has affected the development of all Windows Server operating systems and it’s evident in the security features of Windows Server 2016 as well.
Understanding Kerberos Authentication
Kerberos was originally designed at MIT as a secure method of authenticating users without actually sending a user password across the network, encrypted or not. Being able to send a password this way greatly reduces the threat of password theft because malicious users can no longer seize a copy of the password as it crosses the network and run brute-force attacks on the information to decrypt it.
The actual functionality of Kerberos is complicated, but essentially what happens is the computer sends an information packet to the client that requires authentication. This packet contains a “riddle” of sorts that can be answered only by the user’s proper credentials. The user applies the “answer” to the riddle and sends it back to the server. If the proper password was applied to the answer, the user is authenticated. Although used in Windows Server 2016 and earlier, this form of authentication is not proprietary to Microsoft and is available as an Internet standard. For a greater understanding of Kerberos security, see Chapter 12, “Server-Level Security.”
Taking Additional Security Precautions
AD DS implementations are, in essence, as secure as the Windows Server 2016 environment in which they run. The security of the AD DS structure can be increased through the utilization of additional security precautions, such as secured server-to-server communications using IPsec or the use of smart cards or other encryption techniques. In addition, the user environment can be secured through the use of group policies that can set parameter changes such as user password restrictions, domain security, and logon access privileges.