Add to collection(s) Add to saved
  1. Business
  2. Management

Active Directory Policies

advertisement 
The University of Texas Pan American
Active Directory Service Policies
Document Change Control
Version
Number
Draft 1.0
Draft 1.1
Draft 1.2
Date
Author/Editor
Description of Change
Issued
11/20/2003
Nancy
Edited Stanford policy to come up with
Verastegui
a UTPA policy
?
Leota Hull
Revising for readability by nontechnical management and for
completeness.
4/8/2004
Nancy
Modified section titles and document
Verastegui
footer.
Review/Approval Record
Version
Number
Date
Reviewed
Reviewer/
Approver
Reviewer/Approver action.
Page 1 of 8
The University of Texas Pan American
Active Directory Service Policies
General Service Policies
The management, administration and use of the UTPA Campus Active Directory (AD)
Services are bound by the policies set forth on this document.
The UTPA Campus Active Directory infrastructure is deployed to enable higher levels of
functionality, greater security, and more economical management of campus desktop
computers and their associated services. For most areas of the campus, participation in
the Campus Active Directory is beneficial. However participation is not mandated for
any departments or users.
Where users, offices or departments have not participated in the campus AD infrastructure, the availability of services and impact to their areas have not and generally will
not be assessed or planned for in the initial roll out of AD. Subsequent services to those
areas will be considered (when requested) and will be provided as budget and resource
constraints permit. Access to the resources and services hosted by Information
Technology and other departments participating in the Campus Active Directory structure
will generally require a UTPA domain account. The impact to users not participating will
be at a minimum, a separate log in procedure that may or not be secure. For some
systems/services access will not be available for those not having an UTPA domain
account and additionally using a computer that is within the Campus UTPA Active
Directory Infrastructure.
Administrative Control
Active directory administration will be delegated to different administrative roles. Each
of these roles requires a competence level of the general infrastructure and Active
Directory. Administrators will be required to attend at least two technical Microsoft
certified classes in server administration and Active directory before being considered for
a role.
Abuse of administrative privileges will be subject to any or all the administrative and
disciplinary processes outlined in applicable operating policies and procedures of the
university.
Three roles are created to administrate active directory: Enterprise Administrators,
Domain Administrators and Organizational Unit Administrators. Creation of
Administrator Accounts may be requested by completing and sending the Privileged OU
Admin Account Form to Computer Center. The appropriate information resource
owner’s signature is required on the form to authorize the level of access being requested.
Page 2 of 8
The University of Texas Pan American
Active Directory Service Policies
Enterprise Administrators
Enterprise level administration is a requirement of the technology. Microsoft’s Active
Directory system does not function without Enterprise level administration. So, even
though the enterprise administrator accounts have very high access across the directory,
this level of administration is a basic requirement. The role of enterprise level
administration is to ensure that the infrastructure services run smoothly, and integrate
with existing infrastructure services. These accounts have the inherent ability to take
ownership of any resource in the Windows Infrastructure, and read or modify those
resources. This level of authority and responsibility requires a high level of
accountability. Additional access control factors will be employed for these accounts. A
manual lock box scheme will be used to control use of the accounts such that the
administrators must go through a process of acquiring the access information from a
person not under their supervision in order to use the special accounts.
Enterprise administrator accounts are restricted to logging in via 3 domain controllers.
All use of privileges by these accounts is audited for review by both the IT Security
Office as well as by Internal Auditors Office. Enterprise administrators will only take
ownership or use their privileges on domain resources when requested to do so by
someone with the appropriate authority, or in a case of emergency when failing to do so
will put UTPA resources at risk.
Domain Administrators
Domain administrators hold a level of authority comparable to enterprise administrators
for their domain resources. Use of their privileges will also be audited. Accounts with
this level of authority will be issued only to Computer Center Systems staff responsible
for the Active Directory Infrastructure management. Membership of each of the domain
administrator groups is strongly protected via a mandatory site restricted group. Changes
to the mandatory site group can only be made by enterprise administrators.
OU Administrator Accounts
Organizational Unit Administrators will find themselves in possession of two accounts.
The first is a regular UTPA account, is used for general staff-related duties at the
University. The second account, an administrative privilege account (oua), is used for
performing the duties of a Windows system administrator. An administrator’s regular
UTPA account must never be used to perform administrative duties. We recommend that
administrators use the “Run as …” command to switch between their two accounts.
Administrators are welcome to delegate administrative rights in their OU to another
administrator’s administrative account, subject to any policies that your department may
have. Browsing through other OUs is not allowed with out previous authorization.
Page 3 of 8
The University of Texas Pan American
Active Directory Service Policies
All administrative accounts and administrative group accounts will reside within a
special, hidden account OU in UTPA domain. Membership of each of the OU Admin
groups is strongly protected via a mandatory OU policy. Changes to the mandatory site
policy can only be made by domain administrators. All objects within this OU cannot be
enumerated by non-administrative accounts, which limit exposure to security break-ins.
This special OU employs a mandated account lockout policy as a means of limiting brute
force security attacks on the privileged administrative accounts.
All actions taken by all accounts are subject to monitoring and audit, this is especially
true for systems administrative level accounts. All administrative accounts shall be
named such that administrative level and user level accounts can be readily apparent in
the audit logs.
Work study/Direct Wage Accounts
Administrator accounts may be created for special student workers. These accounts will
have specific and minimal privileged access to resources within their relevant
organizational unit to allow them to perform daily tasks and functions. Their
responsibilities will include:
 Support and maintenance of divisional and/or school computers and services.
 Add computer accounts to domain.
 Application of service packs, patches and fixes.
Those areas employing students for this work are responsible to ensure the appropriate
training and supervision of the students.
Vendor Accounts
Vendor accounts will be created on a case by case basis and will only be given access
level and access to resources necessary to complete their tasks and functions. Accounts
will be disabled expeditiously after a vendor has finished tasks or functions.
User Accounts
All persons associated with the university (as defined and permitted by university policy)
will generally also have an account in the UTPA domain. The domain accounts will
generally be populated automatically when the users’ electronic identity or campus email
account is created. Manual creation of accounts by Computer Center AD System
Administrators will be used only as required to handle exceptions. As technology
changes are made to the “campus identity management” infrastructure, the set-up of
technology will strive to minimize the number of different username/password pairs each
user has, to achieve as closely as possible a single sign on environment for the campus.
Page 4 of 8
The University of Texas Pan American
Active Directory Service Policies
No user accounts may be created in UTPA domain, except for those generated via the
automated processes, so that unique user IDs exist for each student, staff, and faculty
member that are common between Active Directory and other campus-wide level
information systems. Any UTPA user accounts created outside this process may be
deleted or disabled without notice. Sponsored accounts and Departmental Accounts may
be requested through the Computer Center account generation process UIC form. Staff
from the Computer Center-Systems will handle the creation of all Active Directory
Service user, resource, and/or service accounts. Requests should be processed by sending
the UIC and Special Server Access forms to the Computer Center Distribution Desk.
Domain Authentication
Users logging in from any Windows 2000 or WindowsXP desktop should use the
"UTPA” domain to log in. Users for Windows 9x and Millennium Edition should enable
NTLM 2 to login to the domain. Please refer to Microsoft article How to enable NTLM 2
Authentication. Users can synchronize their passwords or reset their passwords using the
UTPA Password Maintenance Page.
Domain Computer Accounts
When a computer is joined to a domain, a computer account is created in that domain.
We urge that the departmental computers be added to the UTPA domain by first adding
the computer name into the departmental OU using Active Directory Users and
Computers MMC. Any computer account that has remained in an inactive state for over
180 days will be automatically disabled and moved to Inactive Computers OU. A
computer account that has been disabled for over 30 days will be automatically removed
by Systems staff.
Desktops
Desktops machine management and policy development will be the sole responsibility of
departmental technician or Support services. The infrastructure will provide the
environment and administrative roles to control user desktops. Desktops will not be
allowed to share data, printers, application and services. If a user has a specific reason to
share services it must be evaluated by the departmental technician, Security Office and
Supervisor before it is shared. The default policy for all desktops will be to not share
resources.
Servers
Servers that will join be placed in the respective OU under Campus Servers. No servers
that provide general services will be allowed to join the domain. All servers will follow
the UTPA HOP Policy 8.9.4 Server Management Policy. Servers will be evaluated by an
Page 5 of 8
The University of Texas Pan American
Active Directory Service Policies
ITS staff prior to joining the domain to determine the level of compliance to HOP policy.
Member servers will not contain local user accounts unless required by the application or
service hosted. Account authentication for services or application will be required to use
UIC from UTPA domain.
Schema Extensions
The UTPA Schema will not be extended unless the proposed extension will demonstrably
benefit the university as a whole, is supportable and scalable for the enterprise, and will
have minimal impact on service delivery. Request for schema changes are submitted to
the Computer Center. After evaluation and assessment by the Systems Staff, a
recommendation for implementation timing, the precise specification of the change, and
an assessment of impact on all AD users will be made to the committee. Committee
approval is required before any changes are implemented. Testing of the change is
required, but may occur before or after the Systems staff’s recommendation.
Domain Change Control
All modifications to the domain configuration should be documented, and must be tested
on the test environment prior to production deployment.
Naming Convention
A naming convention for all computers, groups, organizational units (OUs), group policy
objects (GPOs) will be strictly enforced. This is necessary to maintain a unique
namespace in UTPA. In addition, a naming convention will simplify administrative
tasks. Before you add a computer, group, OU or GPO to UTPA domain, please read the
UTPA naming convention documents.
Departmental/School/Campus OU creation
University Organizational Units (divisions, departments, schools, etc.) may apply to
have an OU container created for the purpose of managing their resources within UTPA
domain. Organizational Units will be placed within the division OU where they are
located. The local administrators for a given OU should work with their faculty and staff,
and their users, to determine the best OU functionality for their unit. Local administrators
for a given OU should take care in securing, managing, delegating, and creating subOU's, GPO's and other resources within their OU, since they will manage, and are
responsible, for these aspects of their Organizational Unit. Please read the UTPA OU
creation procedure.
Page 6 of 8
The University of Texas Pan American
Active Directory Service Policies
Group Creation
Groups should be used to grant access to resources as opposed to individual users.
Groups can have users or computers as members and can also be nested, i.e. groups can
be members of other groups. Creation and Modification of groups can be done using
Active Directory Users and Computers. OU Admins can create additional groups to their
OUs, but must adhere to these guidelines. All groups
 must be “Global” security groups,
 must follow the naming policy as outlined in the UTPA naming convention.
 must contain a meaningful description of what the group is used for in the
“Description” field
NOTE: On a Windows 2000 computer that is a member of UTPA, the "Authenticated Users" built-in group
includes accounts from UTPA. Therefore, the "Authenticated Users" group should be used with discretion.
If you want to limit permissions on a resource to only users that are affiliated with University, the best
practice is to use the "Domain Users" built-in group.
Active Directory Procedure Creation
To establish quality assurance methods to appropriate levels of change control and
quality control in the management of the data center and the integration, implementation,
and development of the technology and systems, all procedure for active directory must
be documented using the Quality Assurance (QA) format and review by the committee.
Support Model
Active Directory Services follows the University distributed support model for
computing services. The Departmental Support Provider (DSP) may serve as the first
level, or may choose to escalate issues to the IT Help Desk. The DSP or HD may escalate
issues to the Systems Team for final resolution.
Windows 2000 Network Services
Windows 2000 network services such as Exchange, DHCP, DNS, Kerberos, RAS and
WINS that are improperly configured can cause service interruptions for other
departments. Operating one of these services without first consulting Computer Center
may result in temporary disconnection from the network.
Windows 2000 Forests and Domains
The UTPA Active Directory is a single forest, single domain model. Two-way trusts
between UTPA domain and University schools, departments and affiliated units
operating legacy Windows NT/2000 domains will not be established.
Page 7 of 8
The University of Texas Pan American
Active Directory Service Policies
For all UTPA schools, departments, and affiliated units operating legacy Windows
NT/2000 domains, only one-way, non-transitive trusts will be permitted after being
reviewed and approved by the committee.
Child domains request will be reviewed by the committee and should meet the following
criteria: domain controllers will be managed by Systems staff, servers should be
redundant, and meet the control and secure environment standards.
Roaming Profiles and Individual Logon Scripts
Because they are very difficult to support within a large domain and to limit network
traffic, roaming profiles and logon scripts assigned to individual users will not be
supported within the UTPA domain. The Windows 2000 Active Directory provides other
advanced features such as group policies and folder redirection to define the user
environment.
Software License Compliance
Prior to joining the UTPA Infrastructure you must ensure that your system adheres to
Microsoft software licensing policy. Ongoing compliance is also required after you have
joined the domain. Since non-compliance can conceivably affect any service provider
within the domain, it is in UTPA’s best interest to make sure licensing is done. IT
Systems staff will not provide Windows 2000 Server licenses. Windows desktops
licenses are covered by our Campus Enterprise Agreement. Media can be purchased
through the University Bookstore software program.
Service Level
The Active Directory Services architecture was designed to provide continuous service
delivery without interruption or impact due to maintenance or hardware failure. In the
event of a service interruption or modification, Computer Center Systems procedures will
be implemented, including notification and resolution.
Page 8 of 8
Related documents
ProfessionalinResidence
ProfessionalinResidence
Data Classification Examples
Data Classification Examples
How to Organize an Effective College Study Group
How to Organize an Effective College Study Group
reading
reading
to Bronc Country!!!
to Bronc Country!!!
Construction Check List for The Preserve, Delwood Point, and
Construction Check List for The Preserve, Delwood Point, and
Network Services
Network Services
Faculty Directory Information Form
Faculty Directory Information Form
Membership Enrollment Form
Membership Enrollment Form
File-Directory
File-Directory
Download
advertisement