Secure by default: Active Directory's inherent security capabilities

The use of Microsoft's Active Directory (AD) in today's networks far exceeds past dependencies on LMHOSTS, WINS and MSBrowing. Yet AD's security features and services receive little attention. Unlike other Microsoft products, AD works correctly the first time out of the box with little tuning beyond the recommended configurations of a bridgehead and site link. Once the initial design and install is complete, AD functions securely with little to no assistance.

Active Directory contains automated services that provide load balancing, network integration and security far beyond any previous naming resolution service offered by Microsoft. Original use of the LMHOSTS and HOSTS files was too manual a process, while WINS and MSBrowsing loaded down networks with miscellaneous transmissions beyond simple user communication. MSBrowsing was also difficult to secure via firewalls and other security devices.

With the release of AD within the Windows 2000 platform, Microsoft corrected many of these dependencies. For authentication, AD uses the native TCP/IP (all ports), Kerberos (port 88) and LDAP (Port 389 and 636). For printer sharing, AD uses SMB over IP (port 445; it's no longer necessary to use NetBIOS), and for standard TCP/IP name resolution, AD uses DNS (port 53). If necessary, RPC and SMTP can be used, but they are not recommended due to security concerns.

In the past, dependencies were placed on the network to provide the fastest method of communication between devices. However, AD provides load balancing and interrogation of the network for routing and path-of-least-resistance information. Functioning at the application layer (#7 of the OSI model) ensures that each AD device is updated and current, yet still using standard routing protocols such as OSPF, RIF and others at the network layer (#3 of the OSI Model). Reliability at both layers ensures proper replication of critical data that is transparent to both the user and usually the system administrator. Authentication between devices is also secure using a range of methods, including passwords and digital certificates.

Unlike many other products, Active Directory installs easily out of the box with the default configuration. Advanced networks may require additional configuration but not much beyond the standard installation. Replication and security are controlled within the overall domain infrastructure and services provided by AD. Although only considered a service of Windows 2000 and 2003, Active Directory is an excellent, easy to use Microsoft product that is typically overlooked, but functions very well the first time.

About the author
Ed Yakabovicz, CISSP, is vice president of the Delaware Valley ISSA Chapter and an expert on SearchSecurity.com. Ed has more than 20 years of experience in this field and has written two books on information security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Web Security Advisor,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Web Security Advisor DNS rebinding defenses still necessary, thanks to Web 2.0 New defenses for automated SQL injection attacks PCI compliance and Web applications: Code review or firewalls? Worst practices: Bad security incidents to avoid Web scanning and reporting best practices Social networking Web site threats manageable with good enterprise policy Enterprise security in 2008: Building trust into the application development process PCI DSS Section 6: A plan for tackling application security Making the case for Web application vulnerability scanners Preparing for uniform resource identifier (URI) exploits Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.