Active Directory is an important aspect of enterprise management. The tool was developed in the late 1990s, previewed in 1999, and publicly deployed with Windows 2000. Initially meant to centralize domain management, its capabilities were upgraded in 2003 and again in 2008.
Active Directory allows network administrators to manage identity-related services for end user access to systems, applications, or other network resources, and governs end user software, files, and accounts. It is a centralized method of automating network management in a distributed environment. Active Directory is hierarchical, replicated, and extensible. Mismanagement or failure to keep up with change management can result in the loss of data, unauthorized system access, system downtime, and more.
Active Directory consists of multiple directory services:
- Domain services
- Lightweight Directory Services (LDAP)
- Certificate Services
- Federation Service
- Rights Management
Active Directory uses LDAP to assign domain names, SSL/TSL and Kerberos-based authentication for security, hierarchical and centralized data classification for faster and more accurate networking administration, and data availability across multiple servers for improved extensibility.
When setting up Active Directory it is important to first develop a robust domain controller security policy. Domain controllers authenticate and authorize all users and computers in a Windows domain network; unsecured domain controllers put the organization at risk for attack against shared folders and usernames. In addition, domain admin privileges themselves should be managed with the principle of least privilege so that compromise of admin privileges doesn’t result in an easily escalated attack.
It is also incredibly important to administer Group Policy settings correctly. Group Policy provides an automated, centralized method for configuring and deploying security settings to all computers and users within the domain. Two default settings come “out of the box”: Default Domain Policy and Default Domain Controller Policy. These are responsible for securing domain user account passwords and domain controllers respectively.