The use of Microsoft's Active Directory (AD) in today's networks far exceeds past dependencies on LMHOSTS, WINS and MSBrowing. Yet AD's security features and services receive little attention. Unlike other Microsoft
Active Directory contains automated services that provide load balancing, network integration and security far beyond any previous naming resolution service offered by Microsoft. Original use of the LMHOSTS and HOSTS files was too manual a process, while WINS and MSBrowsing loaded down networks with miscellaneous transmissions beyond simple user communication. MSBrowsing was also difficult to secure via firewalls and other security devices.
With the release of AD within the Windows 2000 platform, Microsoft corrected many of these dependencies. For authentication, AD uses the native TCP/IP (all ports), Kerberos (port 88) and LDAP (Port 389 and 636). For printer sharing, AD uses SMB over IP (port 445; it's no longer necessary to use NetBIOS), and for standard TCP/IP name resolution, AD uses DNS (port 53). If necessary, RPC and SMTP can be used, but they are not recommended due to security concerns.
In the past, dependencies were placed on the network to provide the fastest method of communication between devices. However, AD provides load balancing and interrogation of the network for routing and path-of-least-resistance information. Functioning at the application layer (#7 of the OSI model) ensures that each AD device is updated and current, yet still using standard routing protocols such as OSPF, RIF and others at the network layer (#3 of the OSI Model). Reliability at both layers ensures proper replication of critical data that is transparent to both the user and usually the system administrator. Authentication between devices is also secure using a range of methods, including passwords and digital certificates.
Unlike many other products, Active Directory installs easily out of the box with the default configuration. Advanced networks may require additional configuration but not much beyond the standard installation. Replication and security are controlled within the overall domain infrastructure and services provided by AD. Although only considered a service of Windows 2000 and 2003, Active Directory is an excellent, easy to use Microsoft product that is typically overlooked, but functions very well the first time.
About the author
Ed Yakabovicz, CISSP, is vice president of the Delaware Valley ISSA Chapter and an expert on SearchSecurity.com. Ed has more than 20 years of experience in this field and has written two books on information security.
This was first published in February 2004