This paper is concerned with the number of issues that occurred inside the IT infrastructure of the Transportation Railways (TR) Company. It operates a railroad system in both the United States and Canada. As TR’s network environment based upon the Active Directory (AD) technology, it is organized into the multi-domain forest. Four regional domains that named north.transnatrail.com, south.transnatrail.com, east.transnatrail.com, and west.transnatrail.com are subordinated to the root domain transnatrail.com. Similarly, AD sites for each domain are named North_Site, South_Site, East_Site, and West_Site, and reside under the forest root domain HQ_Site. There are several scenarios considered from the standpoint of the TR’s network administrator.
The workplaces of Supervisory Conductors (SCs) are distributed across several geographic regions. As SCs have to access the transport control module and other Active Directory resources, the corresponding policy must be introduced within the AD forest. Two CSs belong to the global group inside the forest root domain, whereas child domains incorporate three CSs each. It is necessary to allow the access of all CSs to the HQ domain resources, in the same time blocking the access to all other domains except their own.
In order to perform such a configuration, several approaches are possible. For instance, the permission model called the Account Global Group (AGP) would be able to grant the access to HQ _Site domain resources for SC_North, SC_South, SC_East, and SC_West groups. However, regional SCs’ accounts will have to be added to the group different from SC_HQ, as AGP group type denies the possibility of including other domains’ members into the HQ global group. Consequently, such an approach increases the complexity of the solution.
The most practical action will be to employ the account permissions’ type called the “Accounts Global group, Universal group, Domain Local group” (AGUDLP). This permission type is specifically designed for the multi-domain forests, making no sense whatsoever in the single domain. The SC_HQ group must be of the Universal Group type in this case. Then the regional SC_North, SC_South, SC_East, and SC_West global groups will become members of the same Universal Group, which in turn becomes the member of the Domain Local Group within the root domain. As a result, the HQ domain’s resources will be available for all SCs regardless of their geographic positions while the regional SCs’ access to neighbor domains will be restricted.
The mass TR’s hiring resulted in the creation of hundreds new workplaces. All freshly hired employees will work in company’s HQ in different departments. Consequently, hundreds of new domain accounts must be created at once.
Obviously, new employees’ accounts will belong to separate groups, as users of different departments will have diverse needs in utilizing the domain resources. In order to simplify the scenario there is an assumption that most of new users will be added to existing domain groups. The HR department has to provide the list of new employees with indications as to their departments’ membership; most likely, it will be the MS Excel export out of HR accounting system. Then the system administrator will group new users by departments and create the number of corresponding .csv files (Comma Separated Values format).
There are two command-line tools in the Windows 2008 environment that are able of bulk users’ creation out of .csv files: ldifde and csvde. Both commands can be incorporated in the batch script; for instance, using the PowerShell scripting. The ldifde is available on any domain controller or client workstation that has the AD LDS (Active Directory Lightweight Directory Services) server role installed. The system administrator will create the script and feed it the .csv files containing new users’ details. Finally, the script will be launched from the elevated command prompt (with administrative privileges), creating actual users’ accounts.
The main difference of the csvde tool is that it can process .csv inputs only and is unable to modify or delete the existing objects. For the purposes of the mass user creation considered here, the use of csvde and ldifde differs by their command syntax only. The use of both tools is considered to be the best practice for the bulk Active Directory objects’ creation (Morimoto et. al, 2008).
There is a task assigned by the TR’s senior network administrator to develop the plan for users’ education on the importance of IT security. It does not have to be as comprehensive as for the most sensitive administration roles; however, the basic network security approaches must be covered. In order to execute the task, several slide presentations had been prepared, as shown on Diagrams 1-3.
Diagram 1 outlines the common rules for the use of passwords in Active Directory environment. There is an assumption that users are being asked to change their passwords as they log into the system for the first time, as well as every 40 days. The Kerberos subsystem, which is responsible for the users’ authentication, makes sure that new passwords never repeat those that already expired. In addition, passwords should comply with certain characteristics that are mentioned in the slide.
The second slide (Diagram 2) presents the basics for the email security. Users are warned about the unauthorized use of email and possible threat of malicious attachments. The antivirus protection is explained on Diagram 3. Again, there is an assumption that the centralized antivirus solution is present in the TR’s Active Directory. However, this slide increases the user’s awareness of potential threat.
Of course, this security education is very basic and designed for broad users. More fundamental course of IT security should be mandatory for administrative roles. It must cover the mechanisms of malware, comprehensive antivirus protection, and defense from Internet attacks, such as DDoS (Distributed Denial of Services).
There is a task to create multiple OUs (Organizational Units) for the number of new employees. Many of those employees will soon migrate to different departments. It is necessary to facilitate such organizational changes by the effective AD management.
The concept of OU plays the major role in the Active Directory architecture. The Organizational Unit can comprise many domain objects, establishing the strict hierarchy within the Active Directory and simplifying its administration. OUs are flexible and can even contain other OUs. There are benefits in applying the GPOs (Group Policy Objects) to OUs instead of other AD objects as OUs generally inherit the company’s organizational structure. It is most practical to associate an OU with the department because user roles in any particular department are likely to be the same.
The other benefit of using OUs in this scenario is associated with the administrative rights’ delegation. There is a policy within the TR’s IT infrastructure that allocates particular departments (represented by OUs) to the care of certain junior system administrators. With the rights delegation on the OU level, they have full administrative rights for the particular OU only.
As the mass employees’ migration to different departments is expected, their accounts must be moved between OUs as well. It can be done manually one by one, but it is not practical for the large number of employees. The best solution for the bulk users’ migration is the dsmove command line utility (Tomsho, 2009). It can be incorporated in the script of same type as in Case 2, moving hundreds of user accounts at once.
As in the previous scenario, there are multiple OUs corresponding to different TR’s departments. The number of GPOs will be introduced in order to strengthen the network security and facilitate the audit. Various approaches for creating such Group Policies are possible. They must be considered with regard to implications that may follow.
Usually, the most obvious security policies that affect the users’ accounts are in place by default. However, the accounts’ security can be strengthened at some levels that are easy to overlook. One of them is the Account Lockout Policy, which requires the modification in this scenario. It is a good practice to restrict the number of logon attempts to three. Whenever the limit is exceeded, the user’s account is blocked and system administrator must review the case. This policy seems rather simple but often helps preventing the unauthorized Active Directory access, as sometimes users’ passwords are too easy to guess. The obvious implication of this policy is the increased number of genuine users attempting to log into the system with expired password.
In order to enhance the audit with regard to the Active Directory security, the most comprehensive policy is the Audit Directory Service Access. It provides the low-level search for all changes to AD objects. This policy can detect exact fields of OU, user account, or any other Active Directory object that were accessed even without the modification. The policy is extremely useful in the investigations that follow the security accidents (Richards et. al, 2008). In order to prevent such accidents, significant amount of security administrator’s time is required. That is due to the vast number of accessing events in the audit’s output, and the lack of analyzing tools.