Brillaint Answer

Table of Contents

Table of Contents………………………………………………………………………………...1

Introduction……………………………………………………………………………………....2

Business Needs…………………………………………………………………………………....2

Active Directory Policies and Features………………………………………………………....3

Active Directory Structure……………………………………………………………………....8

Organizational Units……………………………………………………………………....9

Groups…………………………………………………………………………………....10

Group Policy Objects…………………………………………………………………….11

Conclusion……………………………………………………………………………………....12

References……………………………………………………………………………………….13

Introduction

WWTC’s New York office will be highly autonomous with just a few IT professionals on site at any given time. The IT staff will mostly support day-to-day issues like password resets, minor troubleshooting, and high level administrative tasks. Therefore, due to the sensitive data that will be stored at this branch, a highly developed Active Directory (AD) design will need to be planned and implemented to keep information current and accurate across the network. AD is a hierarchical framework of objects that provides network services to users across the domain and forest. WWTC’s AD design will span across the entire organization set up as one forest with multiple domains within that forest. The WWTC New York office will be a domain within that forest.

Objects within the AD structure represent users, groups, policies, devices, and services which are distributed and replicated throughout the various WWTC domains. WWTC requires multiple network services that will provide various benefits and additional security to the New York domain. These services will aid in productivity, security, authentication, organizational structure segmentation, and information redundancy. AD will serve as the central authority of the WWTC network and will manage each device and user on the network. This adds to the overall scalability of the network structure which is crucial for any business environment.

Business Needs

Business operations throughout the world are very dynamic and require up-to-date information at all times and this is no different for WWTC. WWTC is a global organization that conducts business across the world at all times of the day. This means that information must be readily available across all domains within the WWTC forest at any given moment. Implementing AD at the New York office will meet that business need of information availability. AD will also meet the business goal of reducing overhead because once it is implemented, it is highly autonomous with little administrative upkeep unless policy changes are required.

The network services available through AD will ensure that employees have constant access to the network and the resources available on it. This will also segregate the network into Organizational Units (OU) based on the actual organizational structure of WWTC and its departments. This aids in security by ensuring that users are only able to access resources that they are authorized too. Group Policy Objects (GPO) can be applied to these OUs that limit the permission levels of the users within the OU and restrict unauthorized access to data across the forest. Implementing AD will automatically enforce network policies that will increase security and data confidentiality. This solution meets multiple business needs by automating services and reducing overhead, while also increasing network availability across the New York domain and entire WWTC forest.

Active Directory Policies and Features

There are many AD services and features that are beneficial to businesses and increase productivity. Implementing specific services for WWTC like BitLocker, BranchCache, cache encryption, Failover Clustering, IP Address Management (IPAM), Windows deployment Services (WDS), and two-factor authentication enables a specialized AD deployment specifically tailored to the WWTC domain. This is a key benefit of deploying AD in that it is highly customizable to fit specific needs of different organizations, all from the same product. Table 1 lists the AD features mentioned above as well as other common features that should be deployed.

Table 1. WWTC Active Directory Services Overview

The WWTC AD deployment will consist of an OU structure that mirrors the organizational layout of the organization that also implements GPOs to enforce security policies. Also, as stated earlier, a two-factor authentication method will be adopted by WWTC. An easy implementation of two-factor authentication is issuing ID cards to employees with user defined PIN numbers. This combines something an employee physically has with what the employee knows, making it a more secure process.

As stated, The OU structure will be configured based on the organizational structure of the New York office. Which OU an employee is assigned to will be determined by the department that they reside in. Along with this, each department will have a global group within AD assigned to it. This will help enforce GPO based on rights and privileges assigned to that OU. For instance, brokers should not have access to any human resource files that contain sensitive information about other employees. These global groups, working alongside the OU structure and associated GPO will ensure that WWTC employees only have access to the data that they need to complete their daily tasks. This meets the business goal of increasing efficiency and security while establishing a set structure within the new branch.

DNS is a key component in navigating networks and the Internet. Without it, accessing resources outside of the WWTC network would very tedious and time consuming. DNS works to translate the names of network resources and websites to their designated IP addresses. This increases efficiency for users by not having to remember extensive domain names or lengthy IP addresses to access resources. Additionally, IP addresses can change over time and DNS constantly updates its tables to reflect the appropriate destination for the requested service or website (Cope, 2017). DNS works on a global scale and relies on other DNS servers to resolve requests that one server may not be able to complete.

DHCP is another critical component of network communications that will help WWTC to continue to be successful. DHCP automatically delivers IP information and configuration information to hosts on the network. DHCP also delivers DNS configuration information automatically to further increase communication. This a comprehensive management tool for administrators to use to configure multiple hosts simultaneously and automatically when they authenticate to the network (Froehlich, 2016). DHCP can also be used to configure IP address pools that restrict the available IP addresses for specific groups in the AD structure. This ensures that each department has a set amount of IP addresses available to them and that they will remain on the same subnet. It is important to maintain redundancies for core services such as DNS and DHCP. This will ensure that if one DHCP server were to fail or need maintenance, communication can continue and not affect overall productivity.

Windows Server 2016 will be used at the New York branch which allows for many features to be implemented at the new site. BitLocker will be used to encrypt the hard drives for both user workstations and servers. BitLocker encrypts the drives and protects them from offline or physical attacks. With BitLocker implemented, a stolen hard drive would be unreadable by the thief. It also protects the boot sequence in the case that an unauthorized boot order was initialized to gain access to the hard drive or data (Paul, 2016). Overall, BitLocker will enable the business requirement of better security by physically protecting the data kept on each device safe from offline, physical attacks.

When a BitLocker enabled device is authenticated to the WWTC network, the user should not be required to enter their password to get past the encryption. A new feature with later versions of BitLocker allow for the encryption to be unlocked during the boot sequence while physically connected to a wired network (Sosnowski, 2016). This means that WWTC employees would not have to enter their pins or passwords to decrypt the hard drive when booting on the New York network. This still provides physical encryption of the disks, but reduces the risk of employees requiring administrators to reset their forgotten passwords. Users would only need to enter a password to bypass the encryption when they boot while not on the WWTC wired network. This saves time and increases efficiency, while maintaining security. BitLocker can also be used to either encrypt the entire disk or just the used space on the disk. Only encrypting the used space can be faster and more efficient, but could tell an attacker how much data resides on that disk. Encrypting the whole disk encrypts everything, including unused space, which will be used for all New York BitLocker enabled devices.

Because this new site is merely a new domain within the WWTC forest, data will be shared between sites across the globe. These sites are connected by secure WAN links and allow users to access data that is physically stored at a different site. BranchCache is a feature in Windows that locally stores data that has already been retrieved over the WAN link from the site where the data physically resides. When enabled, local users will query the local cache first to determine whether or not the data they are looking for is cached at the local branch. If it is, the user has instant access. If not, the data will be retrieved from the other branch location. This ultimately saves WAN link bandwidth and reduces traffic by enabling local users to retrieve cached data from a local server. Cache Encryption will also be enabled with this feature to encrypt the data by default. This continues to mirror the requirement of additional security that WWTC needs to fully protect itself, its customers, and its employees.

To comply with the business requirement of consistent availability, failover clustering will also be implemented. Failover clustering simply a group of devices that work together to increase availability and scalability. They work together and provide fault tolerance if one device were to fail (Rouse, 2012). The failover clustering feature is fully compatible with Windows Server 2016, which meets the design requirement. The New York branch will house data of all different types of classification. Without File Classification Infrastructure (FCI) implemented, all the data and files will have no organization and could present a security risk. FCI classifies data based on a set of rules that are defined and then performs tasks based on that classification level. Different levels of classification can be implemented depending on the value of information WWTC sets on it.

The IP Address Management (IPAM) feature allows administrators complete visibility into the IP address infrastructure all in one shot. This tool can be used to monitor the IP address space for the New York office and make changes as needed. This can include increasing or decreasing DHCP lease times or changing the subnet mask of a particular subnet if more or less addresses are required. This increases scalability and manageability on the network without increasing the workload for the local administrators.

As an added security and management control, users should not be able to update the applications that they use on their computers. Allowing this represents a security issue of being able to download potentially harmful executable files from the Internet. It could also represent a compatibility issue if some users have installed updates while others have not. To mitigate this, centralized update services will be implemented. In addition, in order to centralize the deployment of new operating systems, Windows Deployment Services (WDS) will also be implemented. This feature allows an administrator to remotely install a new operating system on a machine. This saves time by not having to physically visit each machine. This network based style of installation reduces complexity and can be used to deliver operating systems with preconfigured settings and applications already installed (Vigo, 2016).

Active Directory Structure

As previously discussed, WWTC’s AD structure will mirror its organizational structure. This is done to easily manage users and devices by their associated department. This also makes it easy to assign policies and permissions to specific groups of users. For instance, employees in the VP NE department may have different permissions to different information on the network than the VP MID department. By structuring AD this way, departments are segregated from each other and only have access to data and files pertinent to their daily operations. This also makes it easy for administrators to troubleshoot issues that may be plaguing a specific group instead of trying to troubleshoot the entire domain.

Organization Units

Each department in the WWTC New York office will be assigned to its own respective OU as seen in Figure 1. Within that main OU for the department will be objects for specific groups and devices in that department. For instance, brokers and staff are under the managers in each OU, but will be assigned to their own objects under the department OU. This is done to further subdivide groups in the domain so that they can be assigned their own attributes that pertain to their specific roles within the organization (Rouse, 2012).

OUs make it easier for user administration and segregation. From here, specific GPOs and permissions can be set to each object that specifically pertains to that group. Certain group may have more restrictive permissions than others and some may require additional security measures if PII is handled regularly, like HR. Additionally, the IT department and administrators will be placed under the CEO IT for continuity purposes. Overall, this OU structure increases organization and instills a hierarchical design with central administration.

Figure 1. WWTC New York Office Active Directory OU Structure

Groups

Groups are a further breakdown of users and devices within the AD structure. Group are designed to assign permission levels and make it easier to manage users and devices with similar roles within the organization. The scopes of the groups can be domain local, global, or universal groups. Domain local groups grant resource permissions on any of machine in that particular domain. This means that the permissions applied to a domain local group on the New York domain only has an effect at the New York office. This can be used if there are specific policies that are enforced at one domain location but not others. Domain local groups can also be used for temporary accounts for contractors or interns that will only reside at one domain while at WWTC. This can also be used as a security measure in that the temporary would not be able to enter another branch office and access the resources at the other office.

Global groups also grant permission on the domain level, but can be applied to any domain within the forest. The global groups are more aimed towards the everyday employees and the objects they are assigned too. This ensures that the permission they have at the New York office are the same at other WWTC locations as long as that same group also exists at the other office. For WWTC this would include all users and devices with the various OUs in AD and each will be assigned to the global group that applies to their department and role. Universal groups are assigned permissions across all domains within the forest. Universal groups should be selectively used as their permissions span the entire enterprise (Dubey, 2011). This type of group should mainly be reserved for the enterprise administrators so they can access and perform their duties across the forest.

Group Policy Objects

A GPO is a set of rules and policies that define how a user or group of users can behave on the network. GPOs are used to enforce the overall policies set forth by organizational security policies in the previous document and should directly mirror those policies. GPOs can be applied at the domain level, OU level, or object level. More generic rules would be applied at the domain level, while more specific GPOs would be applied closer to specific groups or users and devices. Applying GPOs enables centralized configuration control for administrators and makes it easier to implement rules on a network level (Melber, 2015). Once a GPO is created with the desired sections, different global groups can be added to that GPO and the settings would be applied. For example, a very popular and important policy is password length. A minimum password length of ten characters can be set, then applied to all groups within the domain. This would then apply a password policy for users requiring a password with a minimum of ten characters to all users within the domain. Other policies that will be applied are password age, account lockout, disable guest/administrator accounts, user account control, and various privilege settings. The policies at the domain level will be mostly generic by all-encompassing when security is concerned. The policies set for specific groups and departments will be more finely tuned and tailored for those specific groups and will provide additional security at a granular level.

Conclusion

Active Directory plays a huge role in the management of network resources, users, and devices. By mirroring the physical organizational layout within AD, any changes made within certain departments will only affect that OU. This assists in troubleshooting by automatically localizing issues to specific OUs or groups experiencing problems. The features implemented within AD streamline productivity while also reducing overhead costs of administration. AD also adds a level of security management to the network by assigning permissions to users with the concept of least privilege in mind. This will ensure that users only have access to information that is required for their daily tasks and reduce the attack surface of WWTC resources. Overall, this implementation will allow centralized management for the few IT personnel physically at the New York office, which will increase overall efficiency and lower costs.

References:

Cope, S. (2017). Understanding DNS - Beginners Guide to DNS. Steves-internet-guide.com. Retrieved 23 July 2017, from http://www.steves-internet-guide.com/dns-guide-beginners/

Froehlich, A. (2016). Understanding DHCP Fundamentals. Network Computing. Retrieved 23 July 2017, from http://www.networkcomputing.com/unified-communications/understanding-dhcp-fundamentals/1073432460

Paul, I. (2016). A beginner's guide to BitLocker, Windows' built-in encryption tool. PCWorld. Retrieved 23 July 2017, from http://www.pcworld.com/article/2308725/encryption/a-beginners-guide-to-bitlocker-windows-built-in-encryption-tool.html

Sosnowski, R. (2016). Bitlocker: Network Unlock. Dubai Security Blog. Retrieved 23 July 2017, from https://blogs.technet.microsoft.com/dubaisec/2016/04/14/bitlocker-network-unlock/

Rouse, M. (2012). What is failover cluster? - Definition from WhatIs.com. SearchWindowsServer. Retrieved 23 July 2017, from http://searchwindowsserver.techtarget.com/definition/failover-cluster

Vigo, J. (2016). How to get started with Windows Deployment Services - TechRepublic. TechRepublic. Retrieved 23 July 2017, from http://www.techrepublic.com/article/how-to-get-started-with-windows-deployment-services/

Rouse, M. (2012). What is organizational unit (OU)?. SearchWindowsServer. Retrieved 23 July 2017, from http://searchwindowsserver.techtarget.com/definition/organizational-unit-OU

Dubey, S. (2011). Universal groups, global groups, domain local groups. Retrieved 23 July 2017, from https://sandeshdubey.wordpress.com/2011/10/23/ad-group-types-universal-groups-global-groups-domain-local-groups/

Melber, D. (2015). Windows Administration: 10 Easy Ways To Lock Down Your Computer. Technet.microsoft.com. Retrieved 23 July 2017, from https://technet.microsoft.com/en-us/library/2015.05.lockdown.aspx